Problem with firewall?

Andrew Afliatunov andy at taom.ru
Tue Jan 18 07:28:22 UTC 2005 

IEM - Network Operation Center wrote:

> Andrew Afliatunov wrote:
>
>>
>> Authentication fails, and in mail.log I see:
>> -- 
>> Dec 24 11:24:15 web imapd[3408]: pam_ldap: ldap_simple_bind Can't
>> contact LDAP server
>> -- 
>>
>> Here I must say, that when I built test Linux server in local network
>> with the same configuration and test Windows AD server in the same
>> network, I was able to authenticate in IMAP. The only difference between
>> WAN and LAN servers is firewall.
>> So - isn't it enough to open port 636 on it (although firewall log says
>> that ldap packets go in both directions)?
>
>
Thanks for your reply.

> have you changed the ldap-servers address ;-) ?

Of course ;-).

>
> are you sure that pam_ldap is using port 636 / SSL ?

In firewall logs packets go on ldap-server and back through port 636. 
(As I set in /etc/ldap.conf - 'port 636' and 'ssl on').

>
> are the ports forwarded to the correct machine ?

Yes.

>
> try to connect to your ldap-server via "telnet remote.server 636"

web[/0]~#> telnet 195.144.197.136 636
Trying 195.144.197.136...
Connected to 195.144.197.136.
Escape character is '^]'.
(After a long time)
Connection closed by foreign host.
--
I don't think that windows allows telnet connections on port 636 (or 389 
either).

>
> try to connect to your ldap-server with some command-line tools like 
> "ldapsearch" (on debian this is in ldap-utils; on slackware i don't 
> know) and get some information

Ldapsearch works fine through port 389, but through 636 - 'ldap_bind: 
Can't contact ldap server.'
On my test servers situation is the same - ldapsearch on linux can't 
bind to windows port 636, but authentication of imap in AD nevertheless 
works there.

>
> in the past, i have had problems with the certificates being not 
> installed on the client-machine (your imap-server)

Windows server dosn't require client authentication, so there's no need 
in certificate on linux server. And I don't use TLS, but SSL.

>
> furthermore, a lot of imap-servers have built-in ldap-support, so you 
> could use this instead of pam. (i guess this is somewhat flamish on 
> this list)

I like PAM, because with it I don't need to change software.
But if you can't suggest anything more, I'll have a look on other imap 
servers...


-- 
Andrew

More information about the Pam-list mailing list