NethServer Domain Controller: LDAP not reachable from green network

Support
1

The setup:
On a physical hardware - not a virtual machine - clean install of NS 7.8.2003 & just enable nsdc.

LDAP can be queried from NS host via:
ldapsearch -H ldaps://<nsdc IP> -x -w <Bind Password> -D <Bind DN> -b <Basis DN>
The same query form the green network fails.
Alltough the port is open: nc -zv <Active Directory IP> 636 ==> success

Impact: Can not bind client or use AD users/groups external

a guess what it might be:
The Samba container is stated via: systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
From the systemd-nspawn man page: --network-bridge= … implies --network-veth & network-veth implies --private-network

2

Maybe you need to add -Z option:

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#list_all_entries_with_the_administrator_bind

2 Likes
3

YES !! Thank you Markus … i forgot TLS
and focused for hours on the network & promiscuous mode …
by the way [useful_commands] is a great page :wink:

1 Like
4

You’re welcome. I changed the topic to support as it’s no bug.

5

Hi there guys, old topic but is the same TITLE:

I can’t reach the LDAPS in the AD NSDC from the LAN in a debian virtualbox machine, we are migrating all apps (GPLI and paperless, development environment) to virtualmachines, step previous to NS8 on new servers this year :nerd_face: :nerd_face: :nerd_face:).

This is the command that works in the AD NSDC (nethserver machine) but in debian it keeps waiting till serveral minutes:

ldapsearch -ZZ -D CN=ldapservice,CN=Users,DC=ad,DC=XX,DC=XX,DC=com -w mXaXXXvkF_0 -b CN=Users,DC=ad,DC=XX,DC=XX,DC=com -H ldap://nsdc-
XX.ad.XX.XX.com

Several minutes after, in the debian inside LAN this is the answer:

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

I was looking for the ports of ldap but are not declared on services in the cockpit.

Any idea what i must do?

6

I can make the command from an slave AD server.

7

Hi @hector

Maybe the Debian can not resolve the AD?
The Debian should be using the DNS in NS7, then it will work.

A slave AD server is already part of the AD, and uses the AD DNS as such!

My 2 cents
Andy

1 Like
8

DNS is resolving.

1 Like
9

Maybe you need to enable promiscuous mode in virtualbox, see Users and groups — NethServer 7 Final

Can you ping the NSDC from Debian Client?