Re: LDAP - howto get linux to talk to exchange/AD

On 29 Nov 2007 at 21:46, Bob Goldberg wrote:

>
> OK;
>
> I agree - problem is DEFINITELY ldap authentication; forget about
> exim....
>
> my exchange server is setup to accept clear text, and anonymous OK (even
> though I'm not trying to be anon).
>
> here's the thing - I have no idea what is going on between ldapsearch,
> and my exchange server.
>
> I've tried netcat'g the host:389 to see if I could evesdrop, but to no
> avail.
> I've tried telnet'g to the host:389, and DO connect, but have no idea
> what the communication should look like, and I get no responses at all
> regardless of what I try.
>
> ldap is definitely running - I can run custom queries, and
> ldap://queries thru my windows browser with success.
>
> the problem IS debian authenticating w/ the exchange server.
>
> Can someone tell me some way to diagnose just what is happening in this
> communication between ldapsearch & ldap server ???
> Or can someone point me / show me how a structured communication to
> the ldap server would look like, so I can try sending it thru telnet -
> just to see if I can get it to work that way.... Then I can try & figure
> out what ldapsearch is sending...
>
> ????
>
> TIA - Bob
>
>

Bob,

I have not done this with AD; however, I have done it with Novell's eDir on a Netware Box. After confirming what attributes where visiable with an LDAP Browser on my windows workstation (http://www-unix.mcs.anl.gov/~gawor/ldap/), I wrote a perl script to verify/test e-mail address verification on the eDir.

• Perl Snippit ************** # Open Connection to the LDAP server print "Opening a connection to $ldhost ... "; $ldap = Net::LDAP->new($ldhost) || die "Could not connect -- $@"; print "OK\n"; # print "Binding ... "; # Do an anonymous bind $mesg = $ldap->bind; $status = $mesg->code; $errmsg = $mesg->error; print "Status: ($status) $errmsg "; # # Do a search for each e-mail address foreach $addr (@eaddrs) { print "Looking for $addr ... "; $filter = "(\&(objectclass=inetOrgPerson) (mail=".$addr."))"; $mesg = $ldap->search(base=>$ogunit, filter=>$filter, attrs=>@attribs ); $status = $mesg->code; $errmsg = $mesg->error; print "Status: ($status) $errmsg "; $ecnt = $mesg->count; print "found $ecnt entries\n"; if( $ecnt > 0 ) { # Found email address in directory foreach $entry ($mesg->entries) { $dn = $entry->dn; $spam = $entry->get_value('SpamControl'); print "\t$dn \tSpamControl: $spam "; @email = $entry->get_value('mail'); $flag=0; foreach $alias (@email) { if( $flag ) { print "\n\t Alias: $alias"; } else { print "\n\tAddress: $alias"; $flag=1; } } } } else { print "failed. Does not exist in the directory\n\n"; } } ******** End of Perl Snippit ***************

Once, I was able to verify email addresses with the perl; I adjusted Exim4's configuration like so ... (You need to have the "heavy" exim4 package)

 #### CWR Attempt at LDAP E-Mail Address verification
 #### accept any "group" or "mail list" address which are not in the
 #### eDirectory
    accept
       domains = kimberly.uidaho.edu
       recipients = lsearch;CONFDIR/acceptable.lst
 

 #### check for individual e-mail addresses which are in the eDirectory

    deny

       domains = kimberly.uidaho.edu
       message = Administrative prohibition - unable to validate recipient
       condition = ${lookup ldapm{ \
                     ldap://###.###.###.###/o=ui?mail?sub?\
                     (mail=${quote_ldap:$local_part@$domain})} {0} {1} }
 

 ####
 #### CWR Attempt at LDAP -- discard  

The key for me, was using the perl script and ldap browser to verify what attributes where visiable when doing an anonymous bind to ldap _and_ how to code the request.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

I how this helps a bit. My setup is a Novell Netware server hidden from the outside world and a Debian ETCH server visable to the outside world running exim.

• cheers Clarence -- Clarence W. Robison, P.E. robison@kimberly.uidaho.edu 208-423-6610

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org