Hi all,
I set up a host with centos 5.6 and 389-ds 1.1.3 for testing purposes. On startup of the directory, it states:
[08/Jul/2011:15:36:44 +0200] - 389-Directory/1.2.2 B2009.237.2054 starting up [08/Jul/2011:15:36:46 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [08/Jul/2011:15:36:47 +0200] - Listening on All Interfaces port 636 for LDAPS requests
on that host I can see ldap and ldapssl ports open, and p.ex. 389-console shows reasonable stuff. However, on other hosts I cannot, queries on the directory fail - Seems to me like the server only listens on the loopback interface.
Any Ideas about this?
regards, Arian
out put from 'sudo netstat -tlnp' please followed by the the out put of 'sudo /sbin/iptables -L' feel free to obscure the ip's it they are internet visible replace the first 2 octets with 192.168
On 7/8/2011 10:01 AM, Arian Sanusi wrote:
Hi all,
I set up a host with centos 5.6 and 389-ds 1.1.3 for testing purposes. On startup of the directory, it states:
[08/Jul/2011:15:36:44 +0200] - 389-Directory/1.2.2 B2009.237.2054 starting up [08/Jul/2011:15:36:46 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [08/Jul/2011:15:36:47 +0200] - Listening on All Interfaces port 636 for LDAPS requests
on that host I can see ldap and ldapssl ports open, and p.ex. 389-console shows reasonable stuff. However, on other hosts I cannot, queries on the directory fail - Seems to me like the server only listens on the loopback interface.
Any Ideas about this?
regards, Arian
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
does that mean it listens only on IPv6?
[root@centos5-test ~]# netstat -tlnp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2812/httpd.worker tcp 0 0 0.0.0.0:646 0.0.0.0:* LISTEN 2160/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2121/portmap tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2431/sendmail: acce tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 3982/0 tcp 0 0 :::389 :::* LISTEN 3885/ns-slapd tcp 0 0 :::22 :::* LISTEN 2392/sshd tcp 0 0 ::1:6010 :::* LISTEN 3982/0 tcp 0 0 :::636 :::* LISTEN 3885/ns-slapd
[root@centos5-test ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
On 08.07.2011 16:19, Paul Robert Marino wrote:
out put from 'sudo netstat -tlnp' please followed by the the out put of 'sudo /sbin/iptables -L' feel free to obscure the ip's it they are internet visible replace the first 2 octets with 192.168
yes it does and there's your problem. Its listening every where on IPv6 but nowhere on IPv4.
On 7/8/2011 10:26 AM, Arian Sanusi wrote:
does that mean it listens only on IPv6?
[root@centos5-test ~]# netstat -tlnp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2812/httpd.worker tcp 0 0 0.0.0.0:646 0.0.0.0:* LISTEN 2160/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2121/portmap tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2431/sendmail: acce tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 3982/0 tcp 0 0 :::389 :::* LISTEN 3885/ns-slapd tcp 0 0 :::22 :::* LISTEN 2392/sshd tcp 0 0 ::1:6010 :::* LISTEN 3982/0 tcp 0 0 :::636 :::* LISTEN 3885/ns-slapd
[root@centos5-test ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
On 08.07.2011 16:19, Paul Robert Marino wrote:
out put from 'sudo netstat -tlnp' please followed by the the out put of 'sudo /sbin/iptables -L' feel free to obscure the ip's it they are internet visible replace the first 2 octets with 192.168
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 07/08/2011 07:26 AM, Arian Sanusi wrote:
does that mean it listens only on IPv6?
What does 'sysctl net.ipv6.bindv6only' show on your system?
Do you have nsslapd-listenhost set in your cn=config entry? You can check this in /etc/dirsrv/slapd-<instance>/dse.ldif.
[root@centos5-test ~]# netstat -tlnp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2812/httpd.worker tcp 0 0 0.0.0.0:646 0.0.0.0:* LISTEN 2160/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2121/portmap tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2431/sendmail: acce tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 3982/0 tcp 0 0 :::389 :::* LISTEN 3885/ns-slapd tcp 0 0 :::22 :::* LISTEN 2392/sshd tcp 0 0 ::1:6010 :::* LISTEN 3982/0 tcp 0 0 :::636 :::* LISTEN 3885/ns-slapd
[root@centos5-test ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
On 08.07.2011 16:19, Paul Robert Marino wrote:
out put from 'sudo netstat -tlnp' please followed by the the out put of 'sudo /sbin/iptables -L' feel free to obscure the ip's it they are internet visible replace the first 2 octets with 192.168
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 08.07.2011 17:00, Nathan Kinder wrote:
On 07/08/2011 07:26 AM, Arian Sanusi wrote:
does that mean it listens only on IPv6?
What does 'sysctl net.ipv6.bindv6only' show on your system?
net.ipv6.bindv6only=0
Do you have nsslapd-listenhost set in your cn=config entry? You can check this in /etc/dirsrv/slapd-<instance>/dse.ldif.
no, it does not show up there. The directory was created by the setup-ds-admin.pl script with no further modifications.
I just disabled IPv6 completely - the network is v4 only anyway - resulting in these netstat output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2623/ns-slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2623/ns-slapd
remote clients cannot connect anyway, nmap states the port not open :(
you need to do an iptables update now you can temporally flush the rules with 'sudo /sbin/service iptables stop'
you will need to add a rule to /etc/sysconfig/iptables and restart the iptables "service"
On 7/8/2011 11:27 AM, Arian Sanusi wrote:
I just disabled IPv6 completely - the network is v4 only anyway - resulting in these netstat output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2623/ns-slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2623/ns-slapd
remote clients cannot connect anyway, nmap states the port not open :(
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Arian Sanusi -
Nathan Kinder -
Paul Robert Marino