LDAP: Can't contact LDAP server

wouterzzzzz · #1 21st February 2007, 09:05 AM

Hi all,
I'm trying to get an LDAP server up and running, nut I'm having some trouble accessing it from "the outside world". Everything seems to work locally (I can add stuff, search it, it returns results etc). Only when I try to do this from another computer, it keeps saying:
ldap_bind: Can't contact LDAP server (-1)

I changed my ldap.conf to include my host, my netstat seems to be fine:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN

I use this command to search:
ldapsearch -h correct.hostname -D -v "cn=Manager,dc=example" -x -W -b "dc=example" mail

In my hosts.allow I added slapd: ALL and ldap: ALL. Still, it refuses to connect. Who can help me?
Thanks!
Wouter

duanecu · #2 21st February 2007, 02:32 PM

My first thought would be to check the firewall and SELinux settings.

wouterzzzzz · #3 21st February 2007, 02:36 PM

Since I consider myself still a newbie: what should I be looking for regarding OpenLDAP and my firewall/ SELinux settings?

wouterzzzzz · #4 22nd February 2007, 10:22 AM

Ok, so I added the port for LDAP to the firewall settings and now it works. But is this the right way to do it, or am I exposing myself to hack attempts by doing this?

duanecu · #5 22nd February 2007, 01:20 PM

I'm not security expert myself, but as long as you've only updated the firewall settings just enough to allow OpenLDAP to do its basic operation that you need - then you should be fine. That way, you're relying on OpenLDAP to secure that port. It sounds scary, but OpenLDAP will provide its own security updates.

At lease that's how I've come to think of it (not an LDAP admin ... yet). Anyone else have better/more advice?

ibbo · #6 22nd February 2007, 01:51 PM

If you definately need to hook up form outside your subnet you have few options but to open your port in your firewall.
However as you also use tcpwrappers (hosts.allow etc) you can use that to allow only connections from your machine.

So
hosts.deny
ALL:ALL

hosts.allow
slapd: your-host-ip. or ALL: your-host-ip (as you know your safe)

This at least will reject all access to your machine bar ldap request coming from your computer outside of the subnet.
You should be safe (though don't be complacent and ccheck check check).

Ibbo

wouterzzzzz · #7 22nd February 2007, 02:44 PM

Thanks for the answer, but since I want to be able to explore my address book from multiple computers, I do not have a single "your-host-ip" to add to the hosts.allow. Though a thing I might do of course is change the default port of LDAP to make it less obvious.

mohit_fedora · #8 16th March 2007, 10:34 AM

Hi I am new to LDAP. I've configured openldap server as per guided in linuxhomenetworking.com. I am not able to connect to Ldap server which is at FC-3 with Ldap client which is at FC-5.

Is it necessary to use same versions of Fedora Core on both client & server.
I am getting the following error in /var/log/messages on client ldap:
nss_ldap: failed to bind to ldap server to ldap

Please suggest....Thanks a lot