Submitted as a Cool Solutions tip

Found this very interesting as we actually answered this in Novell's public forum, almost word-for-word.

With eDirectory 8.8, users can configure LDAP Server to listen on a one or all IP addresses configured on the machine. LDAP Server in eDirectory 8.8 SP2 has been enhanced to listen on specific IP address by configuring the ldapInterfaces attribute.

ldapInterfaces is a multi-valued string attribute used to store IP addresses and port numbers in a format that resembles the LDAP URL. The LDAP server listens on these IP addresses and ports for both clear text and secure ports.

The representation of the ldapInterfaces attribute is upgraded in eDirectory 8.8 SP2. In the eDirectory 8.8 and 8.8 SP1 versions, the ldapInterfaces takes the value of one IP address or "*". The "*" value makes the LDAP Server listen on all the IP addresses configured in the machine.

With eDirectory 8.8 SP2 onwards, the ldapInterfaces attribute is enabled to listen on multiple IP address/ hostnames, each separated by a space. The default value of ldapInterfaces is "ldap:// ldaps://". This means LDAP server listens on all the IP addresses configured in the machine.

For example: To configure an instance of LDAP Server to listen on two IP addresses (for both clear text and secure port) and the loopback address of a machine, follow the steps below:

Using iManager or ldapconfig, modify the ldapinterfaces attribute in the LDAP Server object to add the following:#

ldap://192.168.1.1:389
ldaps://192.168.2.1:636
ldap://192.168.100.101:389
ldaps://192.168.100.101:636
ldap://127.0.0.1:389
ldaps://127.0.0.1:389

For example:#

ldapconfig -s "ldapinterfaces=ldap://192.168.1.1:389 ldaps://192.168.2.1:636 ldap://192.168.100.101:389 ldaps://192.168.100.101:636 ldap://127.0.0.1:389 ldaps://127.0.0.1:389" -a cn=admin.o=acme.com -w secret

Disable the port 389 and 636 in the LDAP Server.#

The server continues to listen on all the interfaces in the machine if cleartext or TLS ports in the LDAP Server object are not disabled.

For example:

ldapconfig -s "LDAP Enable TCP=No" -a cn=admin.o=acme.com -w secret
ldapconfig -s "LDAP Enable SSL=No" -a cn=admin.o=acme.com -w secret

Note: If you did NOT use iManager (which does an automatic refresh) to configure the server, it is important to refresh the LDAP Server using the following command:

ldapconfig -R -a cn=admin.o=acme.com -w secret

The feature is available from eDirectory 8.8 SP2 onwards and is supported on all eDirectory-supported UNIX flavors.#

From Novell Docs

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 23-Mar-2016 16:23 by jim