cannot create ldap tunnel

By: Conrad Krinock user 14 Dec 2020 at 6:02 a.m. CST

14 Responses
Conrad Krinock gravatar
Based on the documentation at https://gluu.org/docs/gluu-server/4.2/user-management/local-user-management/ when we run this command to create an ldap tunnel: ssh -L 5901:localhost:1636 root@192.168.0.20 we encounter: root@192.168.0.20's password: Permission denied, please try again. we tried both the ubuntu root password and the "bindPassword" password in this file: /opt/gluu-server/etc/gluu/conf/gluu-ldap.properties
Ubuntu 20.0
closed

Answers

By Mohib Zico staff 14 Dec 2020 at 6:47 a.m. CST

Copy
Mohib Zico gravatar
``` root@192.168.0.20's password: Permission denied, please try again. ``` You need to find out what your SSH credential is. >> we tried both the ubuntu root password and the "bindPassword" password in this file: >>> /opt/gluu-server/etc/gluu/conf/gluu-ldap.properties SSH credential is _not_ ldap credential!

By Conrad Krinock user 14 Dec 2020 at 8:54 a.m. CST

Copy
Conrad Krinock gravatar
Hi Mohib We now understand that the reason we were getting a permission denied error is that we do not allow root to login via SSH. This is best practice. We changed the command from ssh -L 5901:localhost:1636 root@192.168.0.20 to ssh -L 5901:localhost:1636 conrad@192.168.0.20 and the command now succeeds. However we are expecting port 5901 to be opened on the ubuntu/gluu server and that port is not opened: nmap -p 1-6000 192.168.0.20 22/tcp open ssh 80/tcp open http 443/tcp open https Do we absolutly need to run the command as root? Please advise

By Mohib Zico staff 14 Dec 2020 at 9:10 a.m. CST

Copy
Mohib Zico gravatar
>> However we are expecting port 5901 to be opened on the ubuntu/gluu server Only Gluu Server's own required ports are open in Gluu Server. 590x are supporting ports, that's why it's not opened. >> Do we absolutly need to run the command as root? Please advise No. You can SSH any user you have.

By Conrad Krinock user 14 Dec 2020 at 9:14 a.m. CST

Copy
Conrad Krinock gravatar
OK thanks -- on to the next step defined in https://gluu.org/docs/gluu-server/4.2/user-management/local-user-management/ ... We downloaded the current version of JXplorer and the connection dialog looks nothing like the gluu documentation. Therfore we are road-blocked. We need to know how to create an LDAP connection in JXplorer

By Mohib Zico staff 14 Dec 2020 at 9:17 a.m. CST

Copy
Mohib Zico gravatar
Screenshot is Apache Directory Studio. Please read their own documentation on how to work with those softwares.

By Conrad Krinock user 14 Dec 2020 at 9:48 a.m. CST

Copy
Conrad Krinock gravatar
Mohib --- The gluu documentation at https://gluu.org/docs/gluu-server/4.2/user-management/local-user-management/ specifies that we should us JXplorer, not Apache Directory Studio. Are you stating we should use Apache Directory Studio and not JXplorer?

By Mohib Zico staff 14 Dec 2020 at 9:52 a.m. CST

Copy
Mohib Zico gravatar
You can use any type of LDAP browser you want. There are 100 of LDAP browsers available out there in internet.

By Conrad Krinock user 15 Dec 2020 at 6:24 a.m. CST

Copy
Conrad Krinock gravatar
It appears you're telling us that the documentation at https://gluu.org/docs/gluu-server/4.2/user-management/local-user-management/ is invalid and/or that you don't know the answers to our questions. It's entirely OK to simply respond, "sorry I don't know the answer". Do you understand that we are merely attempting to CREATE LDAP USERS ON THE GLUU AUTHENTICATION SERVER We'll contact Mike and Davin. Thanks

By Mohib Zico staff 15 Dec 2020 at 6:34 a.m. CST

Copy
Mohib Zico gravatar
Conrad, I guess it's me who wrote the doc.... haha So, we 100% know what we are telling here, every word. Documentation is not wrong. SSH tunneling is simple Linux system administration which all Gluu Server administrator _should_ know. Simple google on "how to reverse tunnel" would reveal how to do that. Same goes for "LDAP browser". Do google and see what's coming.

By Conrad Krinock user 15 Dec 2020 at 7 a.m. CST

Copy
Conrad Krinock gravatar
ssh -L 5901:localhost:1636 conradu@192.168.0.20 Simply means requests to port 5901 on the local computer should be forwarded to port 1636 on the remote computer. Seems you're still not understanding the issue. Let's try again. ssh -L 5901:localhost:1636 conradu@192.168.0.20 Succeeds. We can log into our 192.168.0.20 ubuntu/gluu server The next step in your documentation "Create new connection" has a screen shot that does not match the JXplorer we downloaded and installed. This is the roadblock, not the tunnel.

By Mohib Zico staff 15 Dec 2020 at 7:24 a.m. CST

Copy
Mohib Zico gravatar
I just recorded a screencast for you and uploaded in youtube, it should help you I guess: https://www.youtube.com/watch?v=Rmdzlnw5VNA

By Conrad Krinock user 15 Dec 2020 at 8 a.m. CST

Copy
Conrad Krinock gravatar
OK now we're making a little progress ... (1) Please correct your documentation at https://gluu.org/docs/gluu-server/4.2/user-management/local-user-management/ ; the line ssh -L 5901:localhost:1636 root@[ip_of_Gluu_server] is missing the "-I qa_gluu_org.pem". The corrected line should be: ssh -I qa_gluu_org.pem -L 5901:localhost:1636 root@[ip_of_Gluu_server] (2) Next road block is that when we run: ssh -I qa_gluu_org.pem -L 5901:localhost:1636 conradu@192.168.0.20 we encounter the error: "no support for PKCS#11". Seems maybe our server needs the qa_gluu_org.pem file?

By Mohib Zico staff 15 Dec 2020 at 8:17 a.m. CST

Copy
Mohib Zico gravatar
>> is missing the "-I qa_gluu_org.pem". The corrected line should be: No, It's fine. My server is one of the higher secured one which require certificate to SSH even. Normal SSH don't need this cert thing.

By Conrad Krinock user 15 Dec 2020 at 8:51 a.m. CST

Copy
Conrad Krinock gravatar
OMG I believe this is resolved. (a) Apparently, using JXplorer is entirely unnecessary(??!?!?) Half way down in the documentation at https://gluu.org/docs/gluu-server/4.2/user-management/local-user-management/ is this directive: Managing data associated with people can be performed in both oxTrust, the admin GUI, as well as LDAP. To manage people in oxTrust, navigate to User > Manage People. From this interface you can add and search users. So we merely created our via the gluu authentication server https://test.gluu.org/identity/person/addPerson.htm And we can VIEW our users via JXplorer too. (b) Nevertheless thanks for creating the youtube info. That helped us find the solution. (c) RESOLVED Conrad

Post an answer