Hello Guys,

LDAP Server => CentOS 5.5
Configured according to this link
http://www.server-world.info/en/note...S_5&p=ldap&f=1

LDAP Client => Fedora 14
Configured according to this link
http://www.server-world.info/en/note..._14&p=ldap&f=2

Now after I reboot the Fedora14 during startup, it takes very very long time to start up the mdmonitor service. After that when I log on using a local account in the Fedora14 machine, it takes painfully long time to log on. And it does not identify the domain user.

I can able to log on to the ldap server through ssh from the Fedora machine.

I issued the command 'getent passwd' which does not fetch the domain users either. I am completely lost now. I know, the details here are not enough. Please let me know of any details you need to help me out of this issue.

Thanks

well you've not provided any of your config files, so if you want more help you should provide them, form the client and the server. Primarily though you MUST be clear that the server works or doesn't before you dive head first into trying to use it. can you do an ldapsearch against the server ON the server? Can you do it from the client? What happens when you do? What does the log say on the server about the attempts?

Hi Chris,

Thanks for your immediate response. I knew, that the information I provided were not enough. But I did not know what, apart from the links, I should provide, as I am pretty new to this set up and I lack the knowledge of tools to be used to diagnose this issue.

Regarding the config files, the reason why I did not provide them was that they are not different from what is provided on those links. I only have replaced the example names with the real ones.

The server, with the 'ldapsearch -x' command shows all the entries I entered in the database. 'getent' on the server lists out the ldap entries(along with the local accounts) as well. Below are the ldap related packages on the server (as a result of `rpm -qa | grep ldap`):
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
openldap-clients-2.3.43-12.el5_5.3
python-ldap-2.2.0-2.1
openldap-servers-2.3.43-12.el5_5.3
php-ldap-5.1.6-27.el5_5.3
nss_ldap-253-25.el5
openldap-2.3.43-12.el5_5.3

I have got the following entries added to the iptables as well (and I also restarted the service after that):

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT

In fact, I even tried stopping all the firewalls (in servers and clients) for the sake of this test.

On the ldap client, the 'ldapsearch -x -H ldap://ldapserver/ -b "dc=mydomain,dc=com"' fails with the message 'ldap_bind: Can't contact LDAP server (-1)' and 'getent' does not show any entries from the ldap. As said earlier, it takes painfully a long time for logging on even as the local user. I dont know where to look for the log files on the Server. Please let me know that as well.

Once again thanks for your help.

So have you even started the server?? Does it run? Can you query it on the box itself?

Yes Chris, as I stated I could query it from the server.

Following is what are installed on the client machine in terms of ldap, which I forgot to include in my previous post:
apr-util-ldap-1.3.10-1.fc14.i686
pam_ldap-185-5.fc14.i686
openldap-2.4.23-4.fc14.i686
openldap-clients-2.4.23-4.fc14.i686
nss_ldap-265-6.fc14.i686

Cheers

And this is the process line of slap


ldap 13666 1 0 09:21 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap

Thanks

OK, so if it works on the server, it would sound like a firewall issue, best angle is probably to tcpdump on the server whilst you're querying on the client and see what it sees in terms of recieved network traffic.

Hi Chris,

Thanks for the immediate response. As I have stated in one of the previous posts, I even tried this setup with all the firewalls stopped.

Anyhow I ran the tcpdump (but now with the firewall). Below are the details:
On the ldap server I issued the command 'tcpdump port ldap -i eth0 -X -s 1024 -v'

For the 'ldapsearch -x -H ldap://ldapserver' from the client following is what I see on the server:
12:44:57.637383 IP (tos 0x0, ttl 64, id 13185, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.0.36.42394 > ldapserver.ldap: S, cksum 0x3924 (correct), 2197430249:2197430249(0) win 5840 <mss 1460,sackOK,timestamp 601192 0,nop,wscale 7>
0x0000: 4500 003c 3381 4000 4006 85a3 c0a8 0024 E..<3.@.@......$
0x0010: c0a8 0023 a59a 0185 82fa 1fe9 0000 0000 ...#............
0x0020: a002 16d0 3924 0000 0204 05b4 0402 080a ....9$..........
0x0030: 0009 2c68 0000 0000 0103 0307 ..,h........

and on the client side I got ldap_bind: Can't contact LDAP server (-1)

Cheers

So either you're not listening on port 389 or your iptables are still dropping the packets. Are these devices in the same network? Could be a return routing issue, but that's really pushing it. Can you ping it?

Here is the result of 'netstat -tulnap | grep slap' on the server
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 14232/slapd
tcp 0 0 :::389 :::* LISTEN 14232/slapd

Does this not mean that slap is listening on 389?

I could ping the machines both the ways (ie Server <==> Client).

that's listening, so I'd be looking at iptables rules again.

Man that's firewall!!!! Thanks for your continuous polling on the problem. I should have missed something last time.

Here it is I stop the firewall on the ldap server the ldapsearch works instantly.

What I dont understand is I have the port(s) allowed in the iptables. Now I have the iptables as follows:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 636 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 636 -j ACCEPT

Even then, after starting iptables, ldapsearch fails. I dont know why. Any ideas?

I am out for lunch just now; will be back shortly.

Thanks

I'd guess you're adding them after a default DROP has already happened.

LDAP is only TCP, not UDP.

You rock again Chris!!! You are right I had to move the entries further up before the DROP. It is working now. Thanks for your help.

Hi Guys,

Sadly I have to reopen this thread. The problems regarding the ldap server and client are solved now. But my problem with the log in time still remains. It takes painfully a long long time to log in even as the local user. Another thing I noticed was that the mdmonitor service takes a very very long time to start. If I disable ldap from the nsswitch.conf, the delay does not happen (and of course, I can not log on to the ldap server).

Anybody has any idea?

Thanks