# LDAP Authentication Howto and Webmin

## pgb2

Hello, I just followed the authentication Howto in http://www.gentoo.org/doc/en/ldap-howto.xml, and the server seems to be configured properly (exactly as the howto says), and seems to be working great.

As the howto suggested, I want to use Webmin to administer the users and groups.

I changed the module configuration so the "Linux LDAP NSS library config file" points to /etc/ldap.conf and left the rest untouched.

However, when trying to use the module I get this error 

```
Failed to connect to LDAP server port 389. Maybe your module configuration is incorrect.Failed to connect to LDAP server port 389. Maybe your module configuration is incorrect.
```

My questions are:

- Why is webmin trying to go to port 389 instead of 636? (as the howto, I'm using ldaps)

- How can I fix it?

Thanks in advance. I'm new to Gentoo, and both the system and the documentation are great.

----------

## adaptr

You can set the LDAP port manually in the module config.

----------

## pgb

That doesn't work either. If I change the port in the configuration I still get 

```
Failed to connect to LDAP server port 389. Maybe your module configuration is incorrect.
```

If I, however, add into my /etc/ldap.conf the following:

```

host 127.0.0.1

port 636

```

I get a different error:

```

Failed to bind to LDAP server as uid=root,ou=People,dc=mydomain,dc=com : Can't contact LDAP server. Maybe your module configuration is incorrect.

```

Any suggestions? Port 636 is working, as I can telnet it.[/code]

----------

## pgb

How can I debug both ldap and pam in order to be able to track down this problem? Is anyone having the same problem as I do?

Thanks a lot

----------

## rkasting

I'm having the exact same problem and am figuring there is a development issue with Webmin.

By the way; have you noticed there are two ldap.conf files in the directions.  One in /etc and one in /etc/openldap... is that the way it's supposed to be?

----------

## pgb

The two ldap.conf files (as far as I can understand) are correct, as one if for the ldap server and another for the client connecting to it (in this case the same box).

I worked around the webmin issue by disabling TSL, but that is not the permanent solution I'm looking for.

----------

## rkasting

Which ldap.conf should I point Webmin to?  I've been using /etc/ldap.conf.

----------

## rkasting

Webmin is such a cool idea, but I've had terrible luck with the modules I've tried to use.  The only two I've cared about are ldap and qmail and neither really works when I try to use it.

----------

## rkasting

OK.  From what I've seen on a BUNCH of posts all over the place, it seems that everything was OK on the last version of webmin for pretty much everyone and then this version broke it.... How do I backlevel myself to the older package for webmin?  (Never tried this).

----------

## cselkirk

When it errors "Failed to bind to LDAP server as uid=root,ou=People,dc=mydomain,dc=com" is that the actual error or did you munge the domain.tld? If so, then it looks like you haven't edited your LDAP configuration properly. Additionally suspicious is the "uid=root" as by default the rootdn is cn=Manager.

As far as using LDAPS (TLS) goes, you should make sure your uri (in /etc/openldap/ldap.conf) only stipulates "ldaps" and /etc/conf.d/slapd looks something like the following:

```
OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
```

This means the only ldaps (TLS) and a socket is available.

----------

## pgb

 *Quote:*   

> When it errors "Failed to bind to LDAP server as uid=root,ou=People,dc=mydomain,dc=com" is that the actual error or did you munge the domain.tld

 

I munged the domain... I'll try using Manager instead of uid=root.

I got the rootdn from the LDAP Howto, but I'll try using Manager instead of root.

The weird thing is that I managed to get Webmin working by disabling TLS, so I think the rootdn is not making a difference. Am I correct?

Thanks.

----------

## cselkirk

I think not as all this seems to be pointing to your TLS setup, either that or webmin is trying to connect to port 389 regardless. I know nothing of webmin and so I'll have to leave that to others.

If your not using LDAP to athenticate other machines (or provide any directory service outside of localhost) then there is little need of TLS, if you need to get it working I can perhaps help, or a minimum provide the ubiquitous "it works here" ( .. and working fairly painlessly for three years).

BTW you can run "ldaps://" and "ldap://" simultaiously and also have them listen on 0.0.0.0 and localhost respectivly.

I've not heard anything (either good nor bad) IRT webmin, though having worked exclusivly with vim, sed and some slapped together .ldif templates (and passed on to ldap{modify,delete,add} via some oneliners in my history) I can't think of anything it might offer me (I say that with just a touch of irony).

----------

## pgb

 *cselkirk wrote:*   

> I think not as all this seems to be pointing to your TLS setup, either that or webmin is trying to connect to port 389 regardless. I know nothing of webmin and so I'll have to leave that to others.
> 
> 

 

I'll give it another try and let you know what happens.

 *cselkirk wrote:*   

> 
> 
> BTW you can run "ldaps://" and "ldap://" simultaiously and also have them listen on 0.0.0.0 and localhost respectivly.
> 
> 

 

That's a good idea... it may be a good trade-off to have both webmin and TSL working. Thanks for the tip.

----------

## dakster

pgb2, can you tell me what version of openldap you're using? That howto that worked for you isn't working for me, and I'm about down to switching versions.

----------

## pgb

I have openldap-2.1.30-r2.

Can you post your config. files? Maybe I can help...

----------

## dakster

I'm a dolt, it was tcp wrappers. I need more sleep apparently. Now I'm off to bringing all the info over from our old Irix box to run the migration tools. Man I miss NIS  :Smile: 

Sorry for the false alarm.

----------

## DefconAlpha

I have been having some issues similar to yours. I could not connect to my LDAPS server running on the local host... after doing some slapd -d 255 and using the -h out of /etc/conf.d/slapd i realized that slapd was rejecting 'ldap://' and 'ldaps://' as valid host URI's. I changed it to -h 'ldap://localhost ldaps://neptune:636' and now everything seems to work fine.

----------

## cselkirk

It's not specificly the contents of /etc/conf.d/slapd that is at issue; entries such as 'ldap://' are fine as the uri is taken from /etc/openldap/ldap.conf in the form of "uri" eg:

```
uri ldaps://ldap.domain.tld:636/
```

This simply sounds as though they are not defined there, or if defined, not resolvable.

----------

