Cannot connect to LDAP from a client machine

[rcholcomb]

All,

I am running Zimbra 5.07 Open Source on Ubuntu 8.04 (using the custom release that is 'stickied' in this forum). I can't access my LDAP server from client machines. Here's some additional information.

Everything seems to be running fine:

Code:

zimbra@myhost:~$ zmcontrol status
Host myhost.domain.com
	antispam                Running
	antivirus               Running
	ldap                    Running
	logger                  Running
	mailbox                 Running
	mta                     Running
	snmp                    Running
	spell                   Running
	stats                   Running

If I run nmap from my Zimbra server, I see that the ldap port (389) is opened:

Code:

root@myhost:~# nmap 127.0.0.1

Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-04 16:35 PDT
Interesting ports on myhost (127.0.0.1):
Not shown: 1697 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
445/tcp  open  microsoft-ds
465/tcp  open  smtps
631/tcp  open  ipp
953/tcp  open  rndc
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
5901/tcp open  vnc-1
6001/tcp open  X11:1

However, if I do this from a remote machine, port 389 is not open:

Code:

zimbra@Server01:~$ nmap 192.168.3.5        

Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-04 17:02 PDT
Interesting ports on myhost.domain.com (192.168.3.5):
Not shown: 1701 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
465/tcp  open  smtps
993/tcp  open  imaps
995/tcp  open  pop3s
5901/tcp open  vnc-1
6001/tcp open  X11:1

There isn't a firewall active on the Zimbra machine.

Any suggestions about why I cannot access the LDAP port from a client machine? Why does it seem to be hidden? Does LDAP bind to a specific IP address? How can I get it to bind to its actual IP address and not just localhost?

Thanks.

Rob

[phoenix]

Quote:

Originally Posted by rcholcomb

There isn't a firewall active on the Zimbra machine.

There's something blocking it unless theer has been a change to the IP that it's listening on. It should be listening on your LAN IP, I can connect to my Zimbra LDAP from any other machine. I'd also suggest you try a telnet or an ldapsearch to see if it really isn't listening. Unfortunately, that isn't a Zimbra build so I don't know if anything has been changed in it.

[uxbod]

Code:

netstat -an | grep 389

so we can see which IP it is bound on.

[rcholcomb]

When I attempt to connect to port 389 using telnet, I get a connection refused message:

Code:

~ telnet 192.168.3.5 389
Trying 192.168.3.5...
telnet: connect to address 192.168.3.5: Connection refused
telnet: Unable to connect to remote host

When I run 'netstat -an | grep 389' on the local machine I see this information:

Code:

root@Server01:~# netstat -an | grep 389
tcp        0      0 127.0.0.1:389           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:48854         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:51398         ESTABLISHED
tcp        0      0 127.0.0.1:49395         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:48854         ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:48886         ESTABLISHED
tcp        0      0 127.0.0.1:51398         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:51372         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:49399         ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:51374         ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:49397         ESTABLISHED
tcp        0      0 127.0.0.1:51374         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:51372         ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:51370         ESTABLISHED
tcp        0      0 127.0.0.1:48886         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:49395         ESTABLISHED
tcp        0      0 127.0.0.1:49397         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:49367         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:49399         127.0.0.1:389           ESTABLISHED
tcp        0      0 127.0.0.1:389           127.0.0.1:49367         ESTABLISHED
tcp        0      0 127.0.0.1:51370         127.0.0.1:389           ESTABLISHED
unix  2      [ ]         DGRAM                    3890303

Thanks for your help!

Rob

[phoenix]

Is this running in a vserver (and if so, what is it) or on real hardware?

[rcholcomb]

It is real hardware -- a Dell server running Ubuntu 8.04.

[rcholcomb]

Any thoughts?

[santosh_rao99]

From the netstat it seems its only listening on loopback interface.
Can you send us the contents of /etc/hosts
and
zmlocalconfig | grep -i ldap

[ArcaneMagus]

I seem to be in the exact same situation here...trying to setup the Zimbra server to act as an authentication source and cant connect to the LDAP service from an external client. My /etc/hosts looks like:

Code:

127.0.0.1       localhost
127.0.1.1       email.pyxislab.com      email
192.168.1.6     email.pyxislab.com      email

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

and the output of zmlocalconfig | grep -i ldap is:

Code:

ldap_amavis_password = *
ldap_bind_url =
ldap_cache_account_maxage = 15
ldap_cache_account_maxsize = 20000
ldap_cache_cos_maxage = 15
ldap_cache_cos_maxsize = 100
ldap_cache_domain_maxage = 15
ldap_cache_domain_maxsize = 100
ldap_cache_group_maxage = 15
ldap_cache_group_maxsize = 200
ldap_cache_reverseproxylookup_domain_maxage = 15
ldap_cache_reverseproxylookup_domain_maxsize = 100
ldap_cache_reverseproxylookup_server_maxage = 15
ldap_cache_reverseproxylookup_server_maxsize = 100
ldap_cache_server_maxage = 15
ldap_cache_server_maxsize = 100
ldap_cache_timezone_maxsize = 100
ldap_cache_zimlet_maxage = 15
ldap_cache_zimlet_maxsize = 100
ldap_connect_pool_debug = false
ldap_connect_pool_initsize = 1
ldap_connect_pool_master = false
ldap_connect_pool_maxsize = 50
ldap_connect_pool_prefsize = 0
ldap_connect_pool_timeout = 120000
ldap_connect_timeout = 30000
ldap_deref_aliases = always
ldap_host = email.pyxislab.com
ldap_is_master = true
ldap_log_level = 49152
ldap_master_url = ldap://email.pyxislab.com:389
ldap_nginx_password = *
ldap_port = 389
ldap_postfix_password = *
ldap_read_timeout = 30000
ldap_replication_password = *
ldap_require_tls = false
ldap_root_password = *
ldap_starttls_supported = 1
ldap_url = ldap://email.pyxislab.com:389
postfix_sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
postfix_transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
postfix_virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
postfix_virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
postfix_virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
postfix_virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
zimbra_class_provisioning = com.zimbra.cs.account.ldap.LdapProvisioning
zimbra_ldap_password = *
zimbra_ldap_user = zimbra
zimbra_ldap_userdn = uid=zimbra,cn=admins,cn=zimbra
zimbra_zmprov_default_to_ldap = FALSE

Port 389 is bound to address 127.0.1.1 on my machine as well and I think that just removing the 127.0.1.1 line would fix my issue...but can't test until tonight.

[ArcaneMagus]

Ok verified that that has fixed it for me at least.
Port 389 is now accessible from other machines and correctly bound to the internal IP address of the server instead of a loopback address and the Zimbra services have no issues starting up.

rcholcomb try commenting out the line that sets 127.0.1.1 to your hostname in your /etc/hosts file.