By: Gleb Golubyatnikov user 06 Jul 2018 at 3:26 p.m. CDT

11 Responses

I am able to run ldapsearch queries within gluu server chroot but LDAP directory isn't accessible from outside. I have gluu cluster running with two nodes listening to 0.0.0.0 on port 1636. I've tried reverse tunneling suggested here but no luck: https://gluu.org/docs/ce/3.1.1/user-management/local-user-management/ Here is the command I try to execute and it's output: ``` ldapsearch -H ldaps://gluu_host:1636 -D "cn=directory manager,o=gluu" -w pass -b "o=gluu" -s sub "(uid=test)" ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) ``` Connection is successful using Apache directory studio though. Please advise

Ubuntu 16.04

closed

By Michael Schwartz Account Admin 06 Jul 2018 at 3:31 p.m. CDT

Copy

This is a linux network firewall issue, not a Gluu Server issue.

By Chris Blanton user 06 Jul 2018 at 3:35 p.m. CDT

Copy

Try this: ``` /opt/opendj/bin/ldapsearch -h gluu_host -p 1636 -Z -X -D 'cn=directory manager' -w pass -b o=gluu -s sub "(uid=test)" ``` Note that I've separated the uri and the port so it would look like: ``` /opt/opendj/bin/ldapsearch -h ldap.example.org -p 1636 -Z -X -D 'cn=directory manager' -w pass-b o=gluu -s sub "(uid=test)" ```

By Gleb Golubyatnikov user 06 Jul 2018 at 4:12 p.m. CDT

Copy

This is not a firewall issue as I am able to telnet on 1636 port. Chris, same result unfortunately.

By Chris Blanton user 06 Jul 2018 at 4:40 p.m. CDT

Copy

Oh this is OpenLDAP. OpenLDAP doesn't allow external connections by default. You have to modify the `/opt/symas/etc/openldap/symas-openldap.conf` and modify the entry that symas `127.0.0.1` to `0.0.0.0`

By Gleb Golubyatnikov user 07 Jul 2018 at 4:18 a.m. CDT

Copy

Chris, I am using OpenDJ and don't have openldap installed. Here is my ldap config /etc/gluu/conf/ox-ldap.properties: ``` bindDN: cn=directory manager bindPassword: pass useSSL: true ssl.trustStoreFile: /etc/certs/opendj.pkcs12 ssl.trustStorePin: trust_pass ssl.trustStoreFormat: pkcs12 maxconnections: 10 certsDir=/etc/certs confDir= pythonModulesDir=/opt/gluu/python/libs binaryAttributes=objectGUID certificateAttributes=userCertificate servers: host1:1636,host2:1636 ```

By Chris Blanton user 07 Jul 2018 at 10:05 a.m. CDT

Copy

I was confused because your command in the original post used the OpenLDAP bind dn `cn=directory manager,o=gluu` while OpenDJ uses `cn=directory manager`. Can you describe what ldapsearch method you're using externally? Can you do it successfully from outside the chroot of Gluu Server? I'm assuming you're using openldap search based on the `-H` option. You'll need to initialize the `-Z` and `-X` option as well to start TLS, which seems to be the root of your issue. Here's an example modify command I have available: ``` /opt/symas/bin/ldapmodify -Z -X -D "cn=directory manager" -w pass -f test.ldif ```

By Gleb Golubyatnikov user 09 Jul 2018 at 4:12 a.m. CDT

Copy

Thanks for your reply Chris, I've installed ldap-utils package and here is the command I execute: ``` ldapsearch -h ldap.example.org -p 1636 -Z -X -D 'cn=directory manager' -w pass -b o=gluu -s sub "(uid=test)" ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) ``` This is done outside of Gluu server from my local machine

By Gleb Golubyatnikov user 10 Jul 2018 at 1:45 a.m. CDT

Copy

May I know why the ticket is closed?

By Chris Blanton user 10 Jul 2018 at 10:09 a.m. CDT

Copy

> May I know why the ticket is closed? I'm not sure why it was closed. > This is done outside of Gluu server from my local machine I'm not sure why you can't connect. This looks like an issue with ldap-utils, since you said you can connect with Apache Directory Studio. I'm not familiar with ldap-utils.

By Gleb Golubyatnikov user 11 Jul 2018 at 5:08 a.m. CDT

Copy

For those who might face the same issue, /etc/ldap/ldap.conf file needs to be changed to validate ldaps connections with self-signed opendj certficate located in /etc/certs/opendj.crt So ldap.conf should look like this: ``` TLS_CACERT /etc/certs/opendj.crt TLS_REQCERT demand ```

By Chris Blanton user 11 Jul 2018 at 4:20 p.m. CDT

Copy

Hey Gleb, Good find. I'm glad it's working for you now. You pulled the `opendj.crt` from inside the chroot and put it outside, I assume?

You need to Login in order to post an answer

Can't access Gluu server with ldapsearch

By: Gleb Golubyatnikov user 06 Jul 2018 at 3:26 p.m. CDT

Answers

By Michael Schwartz Account Admin 06 Jul 2018 at 3:31 p.m. CDT

By Chris Blanton user 06 Jul 2018 at 3:35 p.m. CDT

By Gleb Golubyatnikov user 06 Jul 2018 at 4:12 p.m. CDT

By Chris Blanton user 06 Jul 2018 at 4:40 p.m. CDT

By Gleb Golubyatnikov user 07 Jul 2018 at 4:18 a.m. CDT

By Chris Blanton user 07 Jul 2018 at 10:05 a.m. CDT

By Gleb Golubyatnikov user 09 Jul 2018 at 4:12 a.m. CDT

By Gleb Golubyatnikov user 10 Jul 2018 at 1:45 a.m. CDT

By Chris Blanton user 10 Jul 2018 at 10:09 a.m. CDT

By Gleb Golubyatnikov user 11 Jul 2018 at 5:08 a.m. CDT

By Chris Blanton user 11 Jul 2018 at 4:20 p.m. CDT

Post an answer