LDAP doesn,t start.

Discussion in 'Installation/Configuration' started by Showa, Dec 17, 2010.

  1. Showa

    Showa Member

    Hello,

    I have got another problem. trying this howto CentOS 5.x Samba Domain Controller With LDAP Backend al went wel untill I had to start LDAP. I've got this message:
    Controleren van configuratiebestanden voor slapd: could not open config file "/etc/openldap/slapd.conf": Permission denied (13)
    slaptest: bad configuration file!

    This is my slapd.conf file:

    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/nis.schema
    include /etc/openldap/schema/samba.schema

    allow bind_v2
    pidfile /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args

    database bdb
    suffix "dc=amtand,dc=nl"
    rootdn "cn=root,dc=amtand,dc=nl"
    rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    password-hash {SSHA}
    directory /var/lib/ldap

    index cn,sn,uid,displayName pres,sub,eq
    index uidNumber,gidNumber eq
    index sambaSID eq
    index sambaPrimaryGroupSID eq
    index sambaDomainName eq
    index objectClass pres,eq
    index default sub

    And here the init.ldif:

    dn: dc=amtand ,dc=nl
    objectclass: dcObject
    objectclass: organization
    o: CentOS Directory Server
    dc: amtand

    dn: cn=root, dc=amtand, dc=nl
    objectclass: organizationalRole
    cn: root

    Does somebody knows what goes wrong?
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    ls -la /etc/openldap/
    ?
     
  3. Showa

    Showa Member

    Looking at the permissions showed that slapd.conf had -rw------ 1 root root changing this to -rw-r----- 1 root ldap did the trick. Restarting httpd gave this message: NameVirtualHost *:80 has no VirtualHosts
    Is this a problem?

    Trying to change my iptables is a problem. Momentary the firewall is disabled as recommend in building a perfect server. I use the computer also as a router for my network and put this in iptables to do so:
    # Generated by iptables-save v1.3.5 on Fri Dec 10 09:05:11 2010
    *nat
    :pREROUTING ACCEPT [4:231]
    :pOSTROUTING ACCEPT [10:621]
    :OUTPUT ACCEPT [11:661]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Fri Dec 10 09:05:11 2010
    # Generated by iptables-save v1.3.5 on Fri Dec 10 09:05:11 2010
    *filter
    :INPUT ACCEPT [70:4931]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [58:4093]
    -A FORWARD -s 10.0.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -d 10.0.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -s ! 10.0.0.0/255.255.255.0 -j DROP
    -A FORWARD -s 10.0.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -d 10.0.0.0/255.255.255.0 -j ACCEPT
    COMMIT
    # Completed on Fri Dec 10 09:05:11 2010

    Trying to put in the lines for HTTPS and restarting iptables failed. When I enable firewall with the default iptables running, the computer is failing is a router, and I am unable to connect to the internet on the other computers. Trying the https://10.0.0.10/samba/pla/ gave as result it was an insecure connection. Is it possible to put my iptables in the default ones, changing input, forward output etc values?

    with kind regards Ad.
     
  4. Showa

    Showa Member

    Changed iptables to this:

    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *nat
    :pREROUTING ACCEPT [4:231]
    :pOSTROUTING ACCEPT [10:621]
    :OUTPUT ACCEPT [11:661]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT

    *filter
    :INPUT ACCEPT [70:4931]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [58:4093]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    #-A FORWARD -j RH-Firewall-1-INPUT
    -A FORWARD -s 10.0.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -d 10.0.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -s ! 10.0.0.0/255.255.255.0 -j DROP
    -A FORWARD -s 10.0.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -d 10.0.0.0/255.255.255.0 -j ACCEPT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    #Allow Https://
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
    #Allow samba:
    -A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Generated by Ad v1 on Sat Dec 18 09:05:11 2010

    Seems to work. Still getting the announcement https is not save. Is this normal? Accepting the fact there is no certificat I can see the site. Can only logging as anonymous.
     

Share This Page