Anonymous_User Absent Member.
Absent Member.
271 views

Unable to login to eDirectory from LDAP browser.


Hi Guys,

Version:
eDirectory 8.8.6.5 (20606.01)

Scenario:
Recently I had changed the IP address of our server, then changed the IP
address of eDirectory by modifying nds.conf file to reflect the new
address.
Restarted eDirectory and everything was good till I noticed that I was
no longer able to login to eDirectory using LDAP browser!

Questions:
Was my method right?
Is there any other conf file where I need to reflect this change?
Or re-install eDirectory from scratch on that server?

Any pointers how to solve this?

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51499

Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.

On 08/11/2014 06:56 AM, ddgaikwad wrote:
>
> Hi Guys,
>
> Version:
> eDirectory 8.8.6.5 (20606.01)
>
> Scenario:
> Recently I had changed the IP address of our server, then changed the IP
> address of eDirectory by modifying nds.conf file to reflect the new
> address.
> Restarted eDirectory and everything was good till I noticed that I was
> no longer able to login to eDirectory using LDAP browser!
>
> Questions:
> Was my method right?


Sounds good

> Is there any other conf file where I need to reflect this change?


Did you point your LDAP browser to the new IP address, or are you still
pointed to the old one?

> Or re-install eDirectory from scratch on that server?


Good heavens no, that'd be crazy. The only other thing that comes to mind
is a potential issue if the LDAP Server object was, previously, configured
to listen on a specific IP address (the old one) and of course was not
updated when you changed the nds.conf file. If that's the case, update
the ldapInterfaces attribute appropriately (as was done before when the
box was set to listen on only one IP address, which if applicable is also
a task you probably did, but otherwise look on the appropriate LDAP Server
object) and then reload nldap.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.


ab;247427 Wrote:
> On 08/11/2014 06:56 AM, ddgaikwad wrote:
> >
> > Hi Guys,
> >
> > Version:
> > eDirectory 8.8.6.5 (20606.01)
> >
> > Scenario:
> > Recently I had changed the IP address of our server, then changed the

> IP
> > address of eDirectory by modifying nds.conf file to reflect the new
> > address.
> > Restarted eDirectory and everything was good till I noticed that I

> was
> > no longer able to login to eDirectory using LDAP browser!
> >
> > Questions:
> > Was my method right?

>
> Sounds good
>
> > Is there any other conf file where I need to reflect this change?

>
> Did you point your LDAP browser to the new IP address, or are you still
> pointed to the old one?
>
> > Or re-install eDirectory from scratch on that server?

>
> Good heavens no, that'd be crazy. The only other thing that comes to
> mind
> is a potential issue if the LDAP Server object was, previously,
> configured
> to listen on a specific IP address (the old one) and of course was not
> updated when you changed the nds.conf file. If that's the case, update
> the ldapInterfaces attribute appropriately (as was done before when the
> box was set to listen on only one IP address, which if applicable is
> also
> a task you probably did, but otherwise look on the appropriate LDAP
> Server
> object) and then reload nldap.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Well, my server's attribute looks something like this:
ldap://:3389
ldaps://:3443

Is this something right?
Shall I enter the new entry like, ldap://<my IP address>:389?

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51499

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.

Are those sockets listening?


sudo /usr/sbin/ss -planeto | grep -e ':3389' -e ':3443'


If not, use ndstrace to see if there are errors when loading nldap. If
so, try accessing these sockets from another box just to test connectivity:


netcat -zv server.goes.here 3389 3443


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.


ab;247445 Wrote:
> Are those sockets listening?
>
> >

Code:
--------------------
> >

> sudo /usr/sbin/ss -planeto | grep -e ':3389' -e ':3443'
>

--------------------
> >

>
> If not, use ndstrace to see if there are errors when loading nldap.
> If
> so, try accessing these sockets from another box just to test
> connectivity:
>
> >

Code:
--------------------
> >

> netcat -zv server.goes.here 3389 3443
>

--------------------
> >

>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Yes, the sockets are listening.
Also netcat shows that those ports are open.

So then that should be good right?
Or I will just change them back to what they were like, for ldap 389 and
for ldaps 636?

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51499

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.

On 08/12/2014 04:36 AM, ddgaikwad wrote:
>
> Yes, the sockets are listening.
> Also netcat shows that those ports are open.


Okay, so then the next basic step is to figure out what is different about
the TCP-level connection test working successfully with netcat, and the
failed LDAP test from your LDAP browser; perhaps your LDAP browser is
broken, or on a box that cannot route to the server, or subject to other
firewalls, or just misconfigured per the non-standard ports. Start with
the basics, and if that does not turn up anything, get some ndstrace
output (+TIME +TAGS +LDAP) to see if the server even sees the client
connection at all.

> So then that should be good right?
> Or I will just change them back to what they were like, for ldap 389 and
> for ldaps 636?


You can change ports, but why did you change them to the alternates in the
first place ? I do not see how changing them again now makes any
difference, unless your LDAP client is configured for the defaults and
cannot be changed to the new ports, in which case your client is the problem.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.


ab;247511 Wrote:
> On 08/12/2014 04:36 AM, ddgaikwad wrote:
> >
> > Yes, the sockets are listening.
> > Also netcat shows that those ports are open.

>
> Okay, so then the next basic step is to figure out what is different
> about
> the TCP-level connection test working successfully with netcat, and the
> failed LDAP test from your LDAP browser; perhaps your LDAP browser is
> broken, or on a box that cannot route to the server, or subject to
> other
> firewalls, or just misconfigured per the non-standard ports. Start
> with
> the basics, and if that does not turn up anything, get some ndstrace
> output (+TIME +TAGS +LDAP) to see if the server even sees the client
> connection at all.
>
> > So then that should be good right?
> > Or I will just change them back to what they were like, for ldap 389

> and
> > for ldaps 636?

>
> You can change ports, but why did you change them to the alternates in
> the
> first place ? I do not see how changing them again now makes any
> difference, unless your LDAP client is configured for the defaults and
> cannot be changed to the new ports, in which case your client is the
> problem.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


I am using Apache directory to connect to eDirectory.
The other thing that observed was that, when I used TLS bind, it was
able to connect to eDirectory just fine.

I remember there is an option on the LDAP Server object where we can
tick off request TLS binds...

And about using those non standard ports is that, someone else had
installed this server and I was not aware of what ports were being
used.
Well, its good that this setup was done in a Dev environment.

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=51499

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login to eDirectory from LDAP browser.

On Tue, 12 Aug 2014 11:35:06 +0000, ddgaikwad wrote:

> I remember there is an option on the LDAP Server object where we can
> tick off request TLS binds...


Yes, if you don't use a TLS connection and try to bind, you'll get an
error -13 "confidentiality required" and the bind will be rejected.

If the network between the Apache system and the eDir server is secured
by other means, you could disable the TLS requirement. Remember to
refresh the LDAP server config after making the change.

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.