By: Rahul Gupta user 23 Jan 2018 at 2:16 p.m. CST

4 Responses
Rahul Gupta gravatar
I see on this page: https://gluu.org/docs/cm/alpha/configuration/configuring-GluuCE-Cluster/ "Edit the file /opt/symas/etc/openldap/symas-openldap.conf to allow servers within chroot to connect to LDAP and make OpenLDAP to use OLC (On-Line Configuration). As Gluu recommends to use FQDN or IP for its connections to LDAP. Change the values of HOST_LIST and EXTRA_SLAPD_ARGS HOST_LIST="ldaps://127.0.0.1:1636/" to HOST_LIST="ldaps://127.0.0.1:1636/ ldaps://<server_ip>:1636" EXTRA_SLAPD_ARGS=" " to EXTRA_SLAPD_ARGS="-F /opt/symas/etc/openldap/slapd.d" Generate new SSL certificate for OpenLDAP: The default certificate for OpenLDAP in Gluu Server is for localhost only, we need to generate a hostname based certificate for wider access. (Skip/Modify this step if you are using a different CA system). Important: Common Name (e.g. server FQDN or YOUR name) should be your hostname." However, a few folks have mentioned that one has to Tunnel to reach OpenLDAP within Gluu: https://support.gluu.org/identity-management/4991/ldapsearch-cant-access-gluu-server-got-ldap_sasl_interactive_bind_s-cant-contact-ldap-server-1/ https://support.gluu.org/identity-management/4253/cant-connect-to-openldap-externally/ Is it possible to connect to Gluu's LDAP directly? Or does one have to tunnel? It's unclear from the contradicting pages. Thanks!

By Aliaksandr Samuseu staff 23 Jan 2018 at 6:41 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Rahul. >Is it possible to connect to Gluu's LDAP directly? Or does one have to tunnel? It's unclear from the contradicting pages. Yes, it's possible and the quote from the cluster docs actually shows how it's done (no need to change the other property if don't need to cluster it): > Change.. > HOST_LIST="ldaps://127.0.0.1:1636/" to HOST_LIST="ldaps://127.0.0.1:1636/ ldaps://<server_ip>:1636" It's also true that usually tunnelling is suggested, as it's much safer way to do this. At least, if you'll decide to expose its ports to the outter net, make sure you set firewall rules limiting who can connect from where.

By Aliaksandr Samuseu staff 23 Jan 2018 at 6:45 p.m. CST

Aliaksandr Samuseu gravatar
Just to make it clear: unless you want to cluster it, you need to change just that one property and restart the service. No need to issue new certificate or change anything else.

By Rahul Gupta user 24 Jan 2018 at 12:53 a.m. CST

Rahul Gupta gravatar
Thanks Aliaksandr! That makes it a lot less complicated not having to generate new certs. I added the IP address of the Gluu server to HOST_LIST so that it lists both localhost and the IP address: HOST_LIST="ldaps://127.0.0.1:1636/ ldaps://<server_ip>:1636" And then restarted the service: service solserver restart The service restarted fine, but when I then did a ldapsearch: /opt/opendj/bin/ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'mypassword' -b o=gluu gluuGroupType=gluuManagerGroup 1.1 It said Connect Error Result Code: 91 (Connect Error) When I put it back: HOST_LIST="ldaps://127.0.0.1:1636/" And then restarted the service: service solserver restart The same ldapsearch command then worked again. Do you know why this might be happening?

By Christopher Palmer user 26 Feb 2018 at 5:53 p.m. CST

Christopher Palmer gravatar
I'd have been curious to see what 'ps -ef | grep slapd' showed when it couldn't connect.