Can't connect to zimbra ldap from different machine

[gtr33m]

I'm trying to set up a zimbra samba authentication for a file server that is on the local network, but not the host of the zimbra ldap.

When I try to connect to a samba share on the file server, the file server can't connect to the zimbra ldap to authenticate. In the samba log files for the desktop that is connecting I get the following

Code:

[2009/05/05 17:14:58,  0] lib/smbldap.c:smb_ldap_start_tls(600)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/05/05 17:14:58,  1] lib/smbldap.c:another_ldap_try(1175)
  Connection to LDAP server failed for the 1 try!

log.wb-DOMAIN:

Code:

  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/05/05 17:17:44,  3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(367)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL

and log.winbindd-idmap

Code:

  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/05/05 09:48:48,  1] winbindd/idmap_tdb.c:idmap_tdb_alloc_init(341)
  idmap uid or idmap gid missing
[2009/05/05 09:48:48,  0] winbindd/idmap.c:idmap_alloc_init(587)
  ERROR: Initialization failed for alloc backend, deferred!
[2009/05/05 09:48:48,  3] winbindd/idmap.c:idmap_new_mapping(693)
  Could not allocate id: NT_STATUS_UNSUCCESSFUL

and auth.log

Code:

May  5 17:07:15 server1 sshd[19998]: reverse mapping checking getaddrinfo for mhawkins-acer.medalist.com.au [192.168.2.112] failed - POSSIBLE BREAK-IN ATTEMPT!
May  5 17:07:18 server1 sshd[19998]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May  5 17:07:18 server1 sshd[19998]: pam_ldap: reconnecting to LDAP server...
May  5 17:07:18 server1 sshd[19998]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May  5 17:07:18 server1 sshd[19998]: Accepted password for root from 192.168.2.112 port 37790 ssh2
May  5 17:07:18 server1 sshd[19998]: pam_unix(sshd:session): session opened for user root by (uid=0)

What I can't figure out is what to check on the zimbra server side to see what is causing it not to connect, and not even sure which log file would contain the attempted connections.

The zimbra server is Ubuntu 8.04 and the fileserver is 9.04

I've tried stopping apparmor on both servers just in case, but that doesn't seem to be the issue. I haven't changed any of the apparmor profiles or installed new ones, so I don't think it should have any affect.

I'm also trying to test the connection from a desktop using ldapsearch, but I'm not quite sure of the syntax. Can anyone give a simple syntax to test a connection? Also, what user can I use to connect to the LDAP database. Is it possible to use one of the admin accounts?

Thanks

[uxbod]

[SOLVED] LDAP bind, not access from lan IP

[gtr33m]

uboxd

Thanks so much for the reply. Before I go blindly making changes ldap start script as bart did, can I confirm with you that the issue is the same. My zmlocalconfig does not seem to be restricted to localhost:

Code:

ldap_bind_url = 
ldap_master_url = ldap://mail.medalist.com.au:389
ldap_url = ldap://mail.medalist.com.au:389

What exactly is Konstantin's iptables setting do?

[quanah]

Did you make the CA cert avaiable to your other systems? Generally startTLS failures are because the system can't verify the cert provided by the LDAP server. Does using ldapsearch from the remote system with the -ZZZ option work?

[gtr33m]

I didn't explicitely make the cert available to other systems, so unless it's a default setting then no. I don't know how to make the certificate available, but I'll do some searching to learn more and see if I can find out how.

I have not fixed my problem yet, but I have come part way there. I have 2 NICs in each machine and to reduce the load on the network and increase the speed between the two servers I connected them directly to each other o the spare NICs. I gave them each an ip on a slightly different subnet and changed the hosts files on each so that each machine would know to use the private subnet address without any other machine on the network trying to use the private network.

This seemed to work fine for everything else, but not for ldap. I tried changing the ldap_bind_address and also removing the '-h' option as per the other post, but that didn't seem t help, so I ended up removing the private addresses from the hosts file. This did fix it, but of course there's no benefit to the direct connection anymore.

I still can't get samba on the fileserver to authenticate against the zimbra server, but there's no more ldap errors and getent groups and getent passwds both work properly. I think my problem is with winbind on the fileserver, but I'll need to do some more digging first.