LDAP server configuration on RHEL5

ciphyre · 11-14-2008, 04:26 PM

I implemented SSL/TLS support for my ldap server but I need to prevent slapd from listening on port 389 for unencrypted requests.

Does anyone know how to force slapd to only listen to port 389 on the local loopback address on RHEL5?

The init.d script references the file ldap under /etc/sysconfig so I tried adding the options to /etc/sysconfig/ldap but it still listens on all addresses.

Thanks.

billymayday · 11-14-2008, 04:32 PM

I don't know the answer wrt configuration, but you could always block it with iptables.

ciphyre · 11-14-2008, 04:38 PM

Quote:

Originally Posted by billymayday

I don't know the answer wrt configuration, but you could always block it with iptables.

Ya that is part of my overall plan, but I am just concerned with the relying on just iptables or even tcp wrappers or xinetd.

The environment I am using ldap in has to be extremely paranoid because the servers are accessible via the Internet.

bathory · 11-14-2008, 05:57 PM

From slapd man page, I think that you can try something like:

Code:

slapd -h ldap://127.0.0.1/ ldaps:///

ciphyre · 11-14-2008, 06:09 PM

Quote:

Originally Posted by bathory

From slapd man page, I think that you can try something like:

Code:

slapd -h ldap://127.0.0.1/ ldaps:///

I tried using this but the only port ldap was listening to was 389, nothing on 636.

Does the /etc/ldap.conf file control any slapd configuration or is that just for ldap client options?

bathory · 11-14-2008, 06:25 PM

Maybe it needs the double quotes:

Code:

slapd -h "ldap://127.0.0.1/ ldaps:///"

Quote:

Does the /etc/ldap.conf file control any slapd configuration or is that just for ldap client options?

Of course it controls various setup aspects of the slapd daemon, but nothing regarding the networking part (like listening ports and such). But you need to put in slapd.conf the TLS options for the server to use ldaps.

ciphyre · 11-14-2008, 06:43 PM

Quote:

Originally Posted by bathory

Maybe it needs the double quotes:

Code:

slapd -h "ldap://127.0.0.1/ ldaps:///"

Of course it controls various setup aspects of the slapd daemon, but nothing regarding the networking part (like listening ports and such). But you need to put in slapd.conf the TLS options for the server to use ldaps.

The TLS options are configured and working.

I should add that I have been using the redhat "service ldap start" (and also /etc/init.d/ldap)feature to get slapd to start. I took a look at the /var/run/openldap/slapd.args file to see how it is being started using these features and found this:

/usr/sbin/slapd -h ldap:/// ldaps:/// -u ldap

So I stopped slapd and manually ran it as so:

/usr/sbin/slapd -h ldaps:/// -u ldap

Which worked. So.....looks like I have to edit the init script for ldap to turn off using port 389 so that a reboot doesn't open up this hole.

Anyone good at editing init scripts?

ciphyre · 11-14-2008, 07:02 PM

Quote:

Originally Posted by ciphyre

The TLS options are configured and working.

I should add that I have been using the redhat "service ldap start" (and also /etc/init.d/ldap)feature to get slapd to start. I took a look at the /var/run/openldap/slapd.args file to see how it is being started using these features and found this:

/usr/sbin/slapd -h ldap:/// ldaps:/// -u ldap

So I stopped slapd and manually ran it as so:

/usr/sbin/slapd -h ldaps:/// -u ldap

Which worked. So.....looks like I have to edit the init script for ldap to turn off using port 389 so that a reboot doesn't open up this hole.

Anyone good at editing init scripts?

The ldap init script references /etc/sysconfig/ldap, so i shouldn't have to modify the script directly however the options I added are not getting picked up, any reason why?

bathory · 11-15-2008, 05:09 AM

Quote:

The ldap init script references /etc/sysconfig/ldap, so i shouldn't have to modify the script directly however the options I added are not getting picked up, any reason why?

I don't have a redhat system handy at the moment, so could you post the contents of /etc/sysconfig/ldap.

ciphyre · 11-16-2008, 01:43 AM

Quote:

Originally Posted by bathory

I don't have a redhat system handy at the moment, so could you post the contents of /etc/sysconfig/ldap.

Here is what I have:

# File: /etc/sysconfig/ldap
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=no
#
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: no
SLAPD_LDAPI=no
#
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes

bathory · 11-16-2008, 03:49 PM

You can set every option to "no" in /etc/sysconfig/ldap and add the working -h "ldap://127.0.0.1/ ldaps:///" option in the slapd startup script /etc/init.d/slapd.

santanu.roy · 11-17-2008, 02:06 AM

Quote:

Originally Posted by ciphyre

I implemented SSL/TLS support for my ldap server but I need to prevent slapd from listening on port 389 for unencrypted requests.

Does anyone know how to force slapd to only listen to port 389 on the local loopback address on RHEL5?

The init.d script references the file ldap under /etc/sysconfig so I tried adding the options to /etc/sysconfig/ldap but it still listens on all addresses.

Thanks.

can you please guide me to configure a ldap server which will be using instead of nis.

thanks.
santanu

billymayday · 11-17-2008, 02:18 AM

Try the howto at www.linuxhomenetworking.com

ciphyre · 11-17-2008, 01:46 PM

Quote:

Originally Posted by bathory

You can set every option to "no" in /etc/sysconfig/ldap and add the working -h "ldap://127.0.0.1/ ldaps:///" option in the slapd startup script /etc/init.d/slapd.

Thanks for the info, I took your suggestion of modifying the init script and the /etc/sysconfig/ldap options and modified it a little. I looked for the variable for ldap:/// within the script and simply modified it so it looked like this: "ldap://127.0.0.1", and restarted slapd. Worked like a charm!!!!

Thanks again!!

santanu.roy · 11-19-2008, 03:36 AM

Thanks... I am trying....