Results 1 to 9 of 9

Thread: Remote LDAP query failing

  1. #1
    mjs
    mjs is offline Junior Member
    Join Date
    Jun 2007
    Posts
    6
    Rep Power
    8

    Default Remote LDAP query failing

    I'm trying to perform an LDAP query against our Zimbra server from a workstation on the same LAN, but the connection is refused. I've tried telnet to port 389 and that fails as well. From the Zimbra server, connections to localhost on port 389 work, but to the local IP will fail. It seems this is just a simple config issue, but I can't find anywhere to tell it to allow queries from anywhere but localhost.
    I've also checked IP tables, and it is wide open.

    Thanks

  2. #2
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    8

    Default

    I'm going to assume you can ssh into the Zimbra machine and haven't been using a console, ergo networking is basically OK.

    On the Zimbra server does 'ps -ef |grep slapd' return something like:
    /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://zimbratest.xxx.com:389 -f /opt/zimbra/conf/slapd.conf

    And have you checked the address with IP config? I normally find I have a typo on these sort of commands.

    You may want to check out the man page for slapd.access and check the slapd.conf file for IP restrictions. If you have LDAP queries restricted by IP you should check your config. I don't know where the slapd.conf file gets updated by the admin commands but this should help find what's wrong as a first step.

  3. #3
    mjs
    mjs is offline Junior Member
    Join Date
    Jun 2007
    Posts
    6
    Rep Power
    8

    Default

    Yes I can ssh. All other ports are responding as well. This server is in full production.

    ps -ef returns:
    zimbra 20467 1 0 08:25 ? 00:00:27 /opt/zimbra/openldap-2.3.21/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://localhost.localdomain -f /opt/zimbra/conf/slapd.conf

    I've looked in slapd.conf, but I don't see anything regarding connection restrictions. The man page doesn't seem to have anything relevant either.

    There isn't a slapd.access file. Quoting from the slapd.access man page "If no access controls are present, the default policy allows anyone and everyone to read anything but restricts updates to rootdn." So it doesn't seem thats the issue either.

    Thanks

    Quote Originally Posted by djve View Post
    I'm going to assume you can ssh into the Zimbra machine and haven't been using a console, ergo networking is basically OK.

    On the Zimbra server does 'ps -ef |grep slapd' return something like:
    /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://zimbratest.xxx.com:389 -f /opt/zimbra/conf/slapd.conf

    And have you checked the address with IP config? I normally find I have a typo on these sort of commands.

    You may want to check out the man page for slapd.access and check the slapd.conf file for IP restrictions. If you have LDAP queries restricted by IP you should check your config. I don't know where the slapd.conf file gets updated by the admin commands but this should help find what's wrong as a first step.

  4. #4
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    8

    Default

    I just tried my test machine (we're still evaluating Zimbra).

    I get the same issue:

    telnet zimbratest.xxx.com 389
    Trying 10.150.1.170...
    telnet: connect to address 10.150.1.170: Connection refused

    and I know my system is running. And my other replicas are talking.

    I'm using the rPath appliance and ssh and apache/tomcat is fine.

    So I'm going to dig into this today but it's obviously how Zimbra sets up it's LDAP services.

  5. #5
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    8

    Default

    Got it. It's in the slapd man page.

    When slapd is started with "-h" it'll bind only to the addresses supplied. I use "ldap:///" on my replicas and that bind to all addresses. It's been months since I last looked at this so I'd forgotten it.

  6. #6
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    8

    Default

    And the startup is hardwired into the script .../zibra/bin/ldap. $my_url comes from $ldap_url. These variables come from a java call that I haven't got time to debug.

    In consideration this makes sense from a security standpoint. Many people running Zimbra are running the stack in a DMZ or in a semi-open network. If people have access to the port then they can keep hammering on the LDAP daemon until they crack it and download the details of users and compromise the accounts.

    So the Zimbra people have done the right thing, just unexpected for those of us used to running LDAP by itself.

  7. #7
    mjs
    mjs is offline Junior Member
    Join Date
    Jun 2007
    Posts
    6
    Rep Power
    8

    Default

    Makes sense, but mine is behind a firewall so there is not much chance of ldap getting exposed. The reason I need to query it from an external source is that we use an IronPort spam filter front end server. It's only method of address validation is via ldap queries.

    So there is no way to remove this -h parameter?

  8. #8
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    8

    Default

    Yes, you can remove the parameter. But the next upgrade would put it back. Look at the ldap script. So I wouldn't go that way.

    I'd ask someone from Zimbra if there as recommended method. Check the wiki first to see if someone has solved this for you.

  9. #9
    mjs
    mjs is offline Junior Member
    Join Date
    Jun 2007
    Posts
    6
    Rep Power
    8

    Default

    I'll take a look. Thanks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  2. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  3. Lotus migration
    By babou in forum Migration
    Replies: 15
    Last Post: 03-05-2007, 10:33 PM
  4. Mac OSX install: Java errors & LDAP CA error
    By jefbear in forum Installation
    Replies: 9
    Last Post: 12-16-2006, 03:39 PM
  5. Replies: 4
    Last Post: 11-15-2006, 12:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •