LDAP stopped responding but on 127.0.0.1

NethServer Version: NethServer release 7.6.1810 (final)
Module: Base

Hi all,

I have a NS on a VPS (so, single network interface, green, with firewall rules/fail2ban in front of it) which should do authentication/authorization with LDAP through VPN to another machine. I used OpenVPN package available from the Software Center and configured a roadwarrior client for the other machine. The other client is connected fine and is able to use all the NS services.

I tried to configure the LDAP client on a NextCloud instance on the “client” VPS which worked for some time then stopped.

I narrowed down the problem with the following:

[root@ciccio ~]# ldapsearch -x -W -D 'uid=bindonly,ou=People,dc=directory,dc=nh' -b "ou=People,dc=directory,dc=nh" -h 127.0.0.1 > /dev/null
Enter LDAP Password: 
[root@ciccio ~]# echo $?
0

[root@ciccio ~]# ldapsearch -x -W -D 'uid=bindonly,ou=People,dc=directory,dc=nh' -b "ou=People,dc=directory,dc=nh" -h 172.18.255.1 > /dev/null
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
[root@ciccio ~]# echo $?
49

As you may see, the first one works fine while pointing to 127.0.0.1, the second one fails with an error which is quite generic. I googled the error, finding a lot of people having problems loading the wrong slapd.conf file, which is not provided anymore and thus is not the issue.

I don’t have any clue. I tried checking in /var/log/messages (no results), on an eventual /var/log/slapd.log (but finding nothing), running slapd in debug mode (and here’s an extract of what I obtained with the first and then with the second commands:

5c27b4ec >>> dnPrettyNormal: <uid=bindonly,ou=People,dc=directory,dc=nh>
5c27b4ec <<< dnPrettyNormal: <uid=bindonly,ou=People,dc=directory,dc=nh>, <uid=bindonly,ou=people,dc=directory,dc=nh>
5c27b4ec do_bind: version=3 dn="uid=bindonly,ou=People,dc=directory,dc=nh" method=128
5c27b4ec bdb_dn2entry("uid=bindonly,ou=people,dc=directory,dc=nh")
5c27b4ec do_bind: v3 bind: "uid=bindonly,ou=People,dc=directory,dc=nh" to "uid=bindonly,ou=People,dc=directory,dc=nh"
5c27b4ec send_ldap_result: conn=1003 op=0 p=3
5c27b4ec send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 18
5c27b4ec connection_get(18): got connid=1003
5c27b4ec connection_read(18): checking for input on id=1003

5c27b548 >>> dnPrettyNormal: <uid=bindonly,ou=People,dc=directory,dc=nh>
5c27b548 <<< dnPrettyNormal: <uid=bindonly,ou=People,dc=directory,dc=nh>, <uid=bindonly,ou=people,dc=directory,dc=nh>
5c27b548 do_bind: version=3 dn="uid=bindonly,ou=People,dc=directory,dc=nh" method=128
5c27b548 bdb_dn2entry("uid=bindonly,ou=people,dc=directory,dc=nh")
5c27b548 send_ldap_result: conn=1005 op=0 p=3
5c27b548 send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 18
5c27b548 connection_get(18): got connid=1005
5c27b548 connection_read(18): checking for input on id=1005

I really don’t know how to debug more this one ).

I’ve already checked inside “Network services” and slapd is enabled on green interface, and also ss explains that it is listening on any addresses on the same machine.

Any ideas/clues?

Could it be TLS connection requirement?

Authenticated binds are granted to TLS protected connections, or connections from 127.0.0.1

ldapsearch

  -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
         you use -ZZ, the  command  will  require  the  operation  to  be
         successful.

sudo -u apache scl enable rh-php71 -- php -dmemory_limit=512M /usr/share/nextcloud/occ ldap:show-config s01
sudo -u apache scl enable rh-php71 -- php -dmemory_limit=512M /usr/share/nextcloud/occ ldap:set-config s01 ldapTLS 1
# only if needed:
sudo -u apache scl enable rh-php71 -- php -dmemory_limit=512M /usr/share/nextcloud/occ ldap:set-config s01 turnOffCertCheck 1

Thanks, this effectively solved the issue.

I would like to know more on the hint you found: where you found it? I tried to search for the official documentation, but didn’t read it.

Thanks again, regards,

In the developer manual.