Problem with firewall?
Andrew Afliatunov
andy at taom.ru
Tue Jan 18 07:28:22 UTC 2005
IEM - Network Operation Center wrote:
> Andrew Afliatunov wrote:
>
>>
>> Authentication fails, and in mail.log I see:
>> --
>> Dec 24 11:24:15 web imapd[3408]: pam_ldap: ldap_simple_bind Can't
>> contact LDAP server
>> --
>>
>> Here I must say, that when I built test Linux server in local network
>> with the same configuration and test Windows AD server in the same
>> network, I was able to authenticate in IMAP. The only difference between
>> WAN and LAN servers is firewall.
>> So - isn't it enough to open port 636 on it (although firewall log says
>> that ldap packets go in both directions)?
>
>
Thanks for your reply.
> have you changed the ldap-servers address ;-) ?
Of course ;-).
>
> are you sure that pam_ldap is using port 636 / SSL ?
In firewall logs packets go on ldap-server and back through port 636.
(As I set in /etc/ldap.conf - 'port 636' and 'ssl on').
>
> are the ports forwarded to the correct machine ?
Yes.
>
> try to connect to your ldap-server via "telnet remote.server 636"
web[/0]~#> telnet 195.144.197.136 636
Trying 195.144.197.136...
Connected to 195.144.197.136.
Escape character is '^]'.
(After a long time)
Connection closed by foreign host.
--
I don't think that windows allows telnet connections on port 636 (or 389
either).
>
> try to connect to your ldap-server with some command-line tools like
> "ldapsearch" (on debian this is in ldap-utils; on slackware i don't
> know) and get some information
Ldapsearch works fine through port 389, but through 636 - 'ldap_bind:
Can't contact ldap server.'
On my test servers situation is the same - ldapsearch on linux can't
bind to windows port 636, but authentication of imap in AD nevertheless
works there.
>
> in the past, i have had problems with the certificates being not
> installed on the client-machine (your imap-server)
Windows server dosn't require client authentication, so there's no need
in certificate on linux server. And I don't use TLS, but SSL.
>
> furthermore, a lot of imap-servers have built-in ldap-support, so you
> could use this instead of pam. (i guess this is somewhat flamish on
> this list)
I like PAM, because with it I don't need to change software.
But if you can't suggest anything more, I'll have a look on other imap
servers...
--
Andrew
More information about the Pam-list
mailing list