LDAP through Firewall

[kevindods]

Hi

Trying to get connected to Zimbra GAL over LDAP from the Public Internet through a Firewall using MAP/NAT to private internal IP network. Can access using Thunderbird on a client local to Zimbra server but not on the other side of the firewall.

Enabled the correct 389 port mapping etc but no joy, even tried opening the IP target address completely to a known IP range but still the same result. Is there a permissions issue somewhere in Zimbra? Something like the hosts.allow file or a slapd conf entry? Probably something obvious and silly but I am generally good at trying the obvious and silly things...

Help much appreciated ;-)

Kevin

[KevinH]

You should also open 7389 which is where the actuall LDAP server runs. 389 is mapped via iptables to 7389. so we've seen certian configs that needed both ports open.

[kevindods]

Thanks Kevin

I tried that but no joy. Then moved to another network and tried it from there and it works. Must be something to the specific local network or the local installs of Thunderbird.

There always seems to be another obvious and silly thing I miss!

Kevin

[s3nz3x]

1°) can you acces "some service - host" other than zimbra server ?
Can you connect like a web server, ssh, or any test box or client? in your ZimbraLAN side from Internet(WAN) [with the correct ports mappings in the firewall ( I assume YES because it seems you're suspecting the ZIMBRAserveritself and not your firewall/network settings.

Quote:

Enabled the correct 389 port mapping etc but no joy, even tried opening the IP target address completely to a known IP range but still the same result. Is there a permissions issue somewhere in Zimbra? Something like the hosts.allow file or a slapd conf entry? Probably something obvious and silly but I am generally good at trying the obvious and silly things...

)
when you talk about an eventually permissions issue, have you an error message ? aka you can't log in, or host deny or some message? Or is it just time out, no connection, nothing…
2) ON Your client-config (WAN side - aka your home or place from where you try to connect) What are your DNS settings ? Are they those of your ISP?
you should then add an entry like 192.168.x.x aka the DNS server in your ZImbraLAN SIDE.
3) can you VPN trough your firewall, this would be simplier as simulating you're in the ZimbraLAN allready…
4) what do you mean :

Quote:

moved to another network and tried it from there and it works

?
Have you been, like to visit some friend, and via it's Internet connection, you did connect to the zimbra server the way you want ? I'm confused here of what you mean.

I would suspect your Firewall, but if you succeded @ another place Cf4) then it's not that.
In that case I would say DNS. Most of my connections pb come from DNS.
(it's always the FIRST thing I set up).
Can you add DNS entries in your firewall??

On my LAN (never on the Internet) I have some ? subnets on a IPCOP acting as firewall/router (Gigabit router;) I've set up Kerberos with MacOsXServer witch is the LDAP Master for my clients the "Greenside".
(ZImbra is on the same subnet as the server but not the same domain - it's testing purpose right now - but ths OsXBOX is the LANDNS) I've also a second OsX server kerberized, in the IpcopDMZSide aka Orange.
All this to say that I had to add "DMZ pinholes" (as it's said in IPCop)
to make Kerberos and LDAP work fine.
To do so I did map those ports to the OsXMasterServer:
53 (domain) - TCP
5353 (MDNS) - UDP
389 (LDAP) - TCP
636 (LDAPS) - TCP

(and others necessary to Kerberos not relevant here)

Don't know if it helps.