Hello
We are trying to install opdk 15.04 on RHEL 6.6,
> We are seeing an error during openldap setup, ldap_result: Can't contact LDAP server (-1)
> netstat shows slapd is listening on 10389
> but when we tried [to see if its actually listening] ldappasswd -h <host> -p 10389- .... [with localhost,127.0.0.1, internal IP] - it all fails with the same error - can't contact LDAP server
> ZK and cassandra installed and is running without issues
any ideas how to troubleshoot this issue?
Thanks,
Solved! Go to Solution.
This could be TCP Wrappers. Can you check /etc/hosts.allow and /etc/hosts.deny to see whether there are any restrictions?
@mukundha@apigee.com I believe something to do with interfaces .
Adding few folks here who can help you
@mukundha@apigee.com Few things I would check is
if localhost is being resolved to the ip or loopback and if loopback interface exists .
ping localhost and ifconfig should confirm both.
Finally the below to see on what interface the ldap server listens on
ps -ef | grep slapd
ldap 3331 1 0 00:34 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap // all interfaces here
Thanks @Maruti Chand,
I tried, ps -ef | grep slapd
but i get only one interface, that was empty
ldap 3331 1 0 00:34 ? 00:00:00 /usr/sbin/slapd -h ldap://:10389
is this a problem?
What should localhost resolve to? ip or loopback? -- I will check this
@mukundha@apigee.com See the description below
slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///" , It will bind 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS, and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents INADDR_ANY. A space separated list of URLs is expected. The URLs should be of the LDAP, LDAPS, or LDAPI schemes, and gener- ally without a DN or other optional parameters (excepting as discussed below). Support for the latter two schemes depends on selected configuration options. Hosts may be specified by name or IPv4 and IPv6 address formats. Ports, if specified, must be numeric. The default ldap:// port is 389 and the default ldaps:// port is 636. The socket permissions for LDAP over IPC are indicated by "x-mod=-rwxrwxrwx", "x-mod=0777" or "x- mod=777", where any of the "rwx" can be "-" to suppress the related permission (note, however, that sockets only honor the "w" permission), while any of the "7" can be any legal octal digit, according to chmod(1). While LDAP over IPC requires write permissions on the socket to allow any operation, the other listeners can take advantage of the "x-mod" extension to apply rough limitations to users, e.g. allow read operations ("r", which applies to search and compare), write operations ("w", which applies to add, delete, modify and modrdn), and exe- cute operations ("x", which means bind is required). "User" permissions apply to bound users, while "other" apply to anony- mous users.
I believe it should be ldap://0.0.0.0:10389 in your case or better change it to localhost:10389 to check if thats the actual issue? want to give it a try ?
thanks maruthi, will check this out -- in my local installation where it works i see ldap://:10389/ - but its in EC2.. let me playaround a bit with this
This since similar to the TCP ports problem you resolved at T. Please share steps to verify.
This could be TCP Wrappers. Can you check /etc/hosts.allow and /etc/hosts.deny to see whether there are any restrictions?
Thanks Paul, I will check this, I just added to the question - ZK and Cassandra installed without issues and are working correctly - do you think this could still be a issue only for openldap?
Yes. OpenLDAP is installed using system-level packages and is compiled with TCP Wrappers support. ZooKeeper and Cassandra aren't subject to the same issue.
http://www.openldap.org/faq/data/cache/339.html. Thanks Paul, Awesome!
Thanks Everyone for chipping in,
The root cause of the issue was the TCP wrapper as mentioned by Paul
Moreinfo, here - http://www.openldap.org/faq/data/cache/339.html
Thanks @Paul Mibus
I have added to the OPDK install doc to check TCP Wrappers as part of the installation checklist.
Stephen
Thanks Stephen
We had similar issue and want to understand the significance of tcp wrappers for openLDAP.
This information is required to clarify security team as we followed below to resolve the issue.
http://www.openldap.org/faq/data/cache/339.html.Which section in install guide talks about TCP wrappers?
TCP wrappers are not specifically covered by the installation guide since they are not enabled by default on a standard RHEL/CentOS system for OpenLDAP. If there are local customizations/hardening steps required by security policy then you may have to enable them. If you do, ensure that connections from all management servers are permitted.
We had the local hardening steps done by security team and its been enabled.We followed the below to resolve.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |