Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-28-2007, 07:23 AM
mjs mjs is offline
Junior Member
 
Posts: 6
Default Remote LDAP query failing

I'm trying to perform an LDAP query against our Zimbra server from a workstation on the same LAN, but the connection is refused. I've tried telnet to port 389 and that fails as well. From the Zimbra server, connections to localhost on port 389 work, but to the local IP will fail. It seems this is just a simple config issue, but I can't find anywhere to tell it to allow queries from anywhere but localhost.
I've also checked IP tables, and it is wide open.

Thanks
Reply With Quote
  #2 (permalink)  
Old 06-28-2007, 08:13 AM
Senior Member
 
Posts: 68
Default

I'm going to assume you can ssh into the Zimbra machine and haven't been using a console, ergo networking is basically OK.

On the Zimbra server does 'ps -ef |grep slapd' return something like:
/opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://zimbratest.xxx.com:389 -f /opt/zimbra/conf/slapd.conf

And have you checked the address with IP config? I normally find I have a typo on these sort of commands.

You may want to check out the man page for slapd.access and check the slapd.conf file for IP restrictions. If you have LDAP queries restricted by IP you should check your config. I don't know where the slapd.conf file gets updated by the admin commands but this should help find what's wrong as a first step.
Reply With Quote
  #3 (permalink)  
Old 06-28-2007, 08:33 AM
mjs mjs is offline
Junior Member
 
Posts: 6
Default

Yes I can ssh. All other ports are responding as well. This server is in full production.

ps -ef returns:
zimbra 20467 1 0 08:25 ? 00:00:27 /opt/zimbra/openldap-2.3.21/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://localhost.localdomain -f /opt/zimbra/conf/slapd.conf

I've looked in slapd.conf, but I don't see anything regarding connection restrictions. The man page doesn't seem to have anything relevant either.

There isn't a slapd.access file. Quoting from the slapd.access man page "If no access controls are present, the default policy allows anyone and everyone to read anything but restricts updates to rootdn." So it doesn't seem thats the issue either.

Thanks

Quote:
Originally Posted by djve View Post
I'm going to assume you can ssh into the Zimbra machine and haven't been using a console, ergo networking is basically OK.

On the Zimbra server does 'ps -ef |grep slapd' return something like:
/opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://zimbratest.xxx.com:389 -f /opt/zimbra/conf/slapd.conf

And have you checked the address with IP config? I normally find I have a typo on these sort of commands.

You may want to check out the man page for slapd.access and check the slapd.conf file for IP restrictions. If you have LDAP queries restricted by IP you should check your config. I don't know where the slapd.conf file gets updated by the admin commands but this should help find what's wrong as a first step.
Reply With Quote
  #4 (permalink)  
Old 06-28-2007, 08:53 AM
Senior Member
 
Posts: 68
Default

I just tried my test machine (we're still evaluating Zimbra).

I get the same issue:

telnet zimbratest.xxx.com 389
Trying 10.150.1.170...
telnet: connect to address 10.150.1.170: Connection refused

and I know my system is running. And my other replicas are talking.

I'm using the rPath appliance and ssh and apache/tomcat is fine.

So I'm going to dig into this today but it's obviously how Zimbra sets up it's LDAP services.
Reply With Quote
  #5 (permalink)  
Old 06-28-2007, 09:07 AM
Senior Member
 
Posts: 68
Default

Got it. It's in the slapd man page.

When slapd is started with "-h" it'll bind only to the addresses supplied. I use "ldap:///" on my replicas and that bind to all addresses. It's been months since I last looked at this so I'd forgotten it.
Reply With Quote
  #6 (permalink)  
Old 06-28-2007, 09:25 AM
Senior Member
 
Posts: 68
Default

And the startup is hardwired into the script .../zibra/bin/ldap. $my_url comes from $ldap_url. These variables come from a java call that I haven't got time to debug.

In consideration this makes sense from a security standpoint. Many people running Zimbra are running the stack in a DMZ or in a semi-open network. If people have access to the port then they can keep hammering on the LDAP daemon until they crack it and download the details of users and compromise the accounts.

So the Zimbra people have done the right thing, just unexpected for those of us used to running LDAP by itself.
Reply With Quote
  #7 (permalink)  
Old 06-28-2007, 09:42 AM
mjs mjs is offline
Junior Member
 
Posts: 6
Default

Makes sense, but mine is behind a firewall so there is not much chance of ldap getting exposed. The reason I need to query it from an external source is that we use an IronPort spam filter front end server. It's only method of address validation is via ldap queries.

So there is no way to remove this -h parameter?
Reply With Quote
  #8 (permalink)  
Old 06-28-2007, 09:55 AM
Senior Member
 
Posts: 68
Default

Yes, you can remove the parameter. But the next upgrade would put it back. Look at the ldap script. So I wouldn't go that way.

I'd ask someone from Zimbra if there as recommended method. Check the wiki first to see if someone has solved this for you.
Reply With Quote
  #9 (permalink)  
Old 06-28-2007, 10:02 AM
mjs mjs is offline
Junior Member
 
Posts: 6
Default

I'll take a look. Thanks
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.