I am installing openldap for the first time and having some difficulties getting it working on remote networks. I have been able to have it work perfectly inside a network, but unable to get two other networks communicating properly. This is surely an newbie question, but I have not been able to find the problem.
I am running a fedora core 5 system with iptables opened for port 389, I have selinux set to permissive, I have the firewall opened to every port on the specified remote ip addresses. (replaced with "##.##.##.##" below.
Would appreciate your help.
Greg Ennis
My log entry for a network successful connection is as follows:
May 20 16:05:59 DeGw slapd[20378]: daemon: activity on 1 descriptor May 20 16:05:59 DeGw slapd[20378]: daemon: activity on: May 20 16:05:59 DeGw slapd[20378]: May 20 16:05:59 DeGw slapd[20378]: >>> slap_listener(ldap:///) May 20 16:05:59 DeGw slapd[20378]: daemon: listen=8, new connection on 12 May 20 16:05:59 DeGw slapd[20378]: daemon: added 12r (active) listener=(nil) May 20 16:05:59 DeGw slapd[20378]: conn=2 fd=12 ACCEPT from IP=10.0.0.12:41669 (IP=0.0.0.0:389) May 20 16:05:59 DeGw slapd[20378]: daemon: epoll: listen=7 active_threads=0 tvp=NULL .................................... ...................................
My log entry for a remote connect failure is as follows:
May 20 15:20:05 DeGw slapd[20378]: daemon: activity on 1 descriptor May 20 15:20:05 DeGw slapd[20378]: daemon: activity on: May 20 15:20:05 DeGw slapd[20378]: May 20 15:20:05 DeGw slapd[20378]: >>> slap_listener(ldap:///) May 20 15:20:05 DeGw slapd[20378]: daemon: listen=8, new connection on 12 May 20 15:20:05 DeGw slapd[20378]: fd=12 DENIED from unknown (##.###.##.###) May 20 15:20:05 DeGw slapd[20378]: daemon: closing 12 May 20 15:20:05 DeGw slapd[20378]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 20 15:20:05 DeGw slapd[20378]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Gregory P. Ennis wrote:
I am installing openldap for the first time and having some difficulties getting it working on remote networks. I have been able to have it work perfectly inside a network, but unable to get two other networks communicating properly. This is surely an newbie question, but I have not been able to find the problem.
I am running a fedora core 5 system with iptables opened for port 389, I have selinux set to permissive, I have the firewall opened to every port on the specified remote ip addresses. (replaced with "##.##.##.##" below.
have a look at tcpwrappers (/etc/hosts.allow & /etc/hosts.deny). Note that building slapd with TCP wrappers support is not recommended, as IPs can be (easily?) spoofed.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Mon, 2007-05-21 at 00:34 +0200, Pierangelo Masarati wrote:
Gregory P. Ennis wrote:
I am installing openldap for the first time and having some difficulties getting it working on remote networks. I have been able to have it work perfectly inside a network, but unable to get two other networks communicating properly. This is surely an newbie question, but I have not been able to find the problem.
I am running a fedora core 5 system with iptables opened for port 389, I have selinux set to permissive, I have the firewall opened to every port on the specified remote ip addresses. (replaced with "##.##.##.##" below.
have a look at tcpwrappers (/etc/hosts.allow & /etc/hosts.deny). Note that building slapd with TCP wrappers support is not recommended, as IPs can be (easily?) spoofed.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
Pierangelo,
Thanks for your help. I have host.allow letting everything in on the two other networks I am trying to connect to the ldap server. I already have iptables controlling access and really do not need hosts.allow. I have never tried to turn hosts.allow off... guess renaming the file or deleting it would do. However I don't think this is a problem with hosts.allow in that I am getting log information that demonstrates connection "DENIED" from ldap. Do you have other suggestions?
Greg
openldap-software@openldap.org
-
Gregory P. Ennis -
Pierangelo Masarati