| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 12:48 | |
| *** nowen has quit (Quit: Leaving.) | 14:58 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 15:04 | |
| *** testuser1 (48c40b51@gateway/web/freenode/ip.72.196.11.81) has joined #wikid | 17:34 | |
| testuser1 | trying to get ADRegister.jsp to work, and noticed that making a ldap connection to the ad servers is failing | 17:48 |
|---|---|---|
| testuser1 | ./ldapsearch -h 192.168.68.222 -p 389 -b '' -s base '(objectclass=*)' Connect Error Result Code: 91 (Connect Error) | 17:49 |
| testuser1 | i have the ad server as a network client in wiKID as well | 17:50 |
| testuser1 | any thoughts - does wikid server require iptables? | 18:09 |
| nowen | testuser1: you are most likely correct - iptalbes | 18:17 |
| nowen | you can open it yourself or add your AD serer as a network client and restart wikid | 18:18 |
| testuser1 | i did add it as a network client and restart | 18:22 |
| testuser1 | iptables -L -v | 18:22 |
| testuser1 | 0 0 ACCEPT tcp -- any any 192.168.68.222 anywhere state NEW tcp dpt:ldap | 18:22 |
| nowen | and can you connect? | 18:24 |
| testuser1 | i can not | 18:24 |
| testuser1 | but can from other hosts on the same network | 18:24 |
| nowen | and you get to port 389 on the WiKID server from .222? | 18:25 |
| testuser1 | i dont have ldap install on wikid but i can get to 443 and radius from .222 to the wikid server | 18:28 |
| testuser1 | does wikid lock down outgoing ports in iptables? | 18:29 |
| nowen | no, but the response from AD needs to come back from AD | 18:29 |
| testuser1 | not sure this is the correct command - iptables -A OUTPUT -p tcp --sport 389 -j ACCEPT | 18:29 |
| nowen | I usually cut and paste another line from /etc/sysconfig/iptables ;) | 18:30 |
| nowen | so not my strong suit | 18:30 |
| nowen | you should be able to run 'tcpdump port 389' on wikid and hit is with any request | 18:31 |
| nowen | to see if it is open. | 18:31 |
| nowen | and you're not able to login to ADRegister, I assume? | 18:36 |
| testuser1 | correct ADRegister not working | 18:42 |
| nowen | is there an error in the Event viewer? | 18:42 |
| testuser1 | will do a tcpdump to see if that shows anything | 18:42 |
| nowen | yeah, it should show the outbound at least | 18:43 |
| nowen | any luck testuser1? | 19:18 |
| testuser1 | no not yet | 19:25 |
| testuser1 | sorry got side tracked | 19:25 |
| nowen | np | 19:26 |
| testuser1 | odd, service iptables status shows a redirect | 19:41 |
| testuser1 | tcp dpt:389 redir ports 1389 | 19:41 |
| nowen | ahh crap. delete that line | 19:41 |
| testuser1 | does wikid have to restarted after iptable changes? | 19:46 |
| nowen | no | 19:46 |
| testuser1 | hmm tcpdump still shows ldap requests going to 1389 | 19:58 |
| testuser1 | 192.168.68.222.iclpv-dm: | 19:58 |
| nowen | you restarted iptables? | 19:58 |
| nowen | hmm | 19:58 |
| testuser1 | yeah | 19:59 |
| nowen | huh | 19:59 |
| nowen | did wikid put the rule back in? | 19:59 |
| testuser1 | will check | 20:09 |
| testuser1 | yes | 20:10 |
| nowen | hmm | 20:12 |
| nowen | but it seems like others have had this working recently, not just testing | 20:13 |
| testuser1 | any idea why wikid would put those redirect rules in? | 20:16 |
| nowen | we used to use that port. I'm not sure why it would still be in there or why it gets put back in. | 20:17 |
| testuser1 | or how i could remove them | 20:17 |
| nowen | what version of WiKID is this? | 20:20 |
| testuser1 | 3.5.0-b1403 | 20:22 |
| nowen | hmm. ok. I'll have to open a ticket to get rid of it | 20:23 |
| testuser1 | ok | 20:24 |
| nowen | hmm | 20:24 |
| nowen | is this server in production? | 20:24 |
| nowen | b/c you could test without iptables | 20:27 |
| nowen | jira created. | 20:28 |
| testuser1 | in test | 20:30 |
| testuser1 | how do i use it with out iptables, just stop iptables? | 20:30 |
| nowen | yes - 'service iptables stop' | 20:35 |
| testuser1 | ok, tcpdump shows the correct port but still got "Authentication to the directory failed for" in ADRegister | 20:48 |
| testuser1 | will go through those settings again | 20:48 |
| nowen | ok - check the event log in windows too | 20:48 |
| nowen | and you see the AD response via tcpdump? | 20:54 |
| testuser1 | sorry have to step away, will be back in a few, thanks for all your help | 21:11 |
| nowen | np | 21:12 |
| *** testuser1 has quit (K-Lined) | 22:12 | |
| *** nowen has quit (Quit: Leaving.) | 23:00 | |
| *** coolacid has quit (Quit: +++ OK ATH OK) | 23:03 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 23:03 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!