Home » forums » Imported debian.org Mailing Lists » Debian User

LDAP - howto get linux to talk to exchange/AD

Tags:

On 29 Nov 2007 at 21:46, Bob Goldberg wrote:

>
> OK;
>
> I agree - problem is DEFINITELY ldap authentication; forget about
> exim....
>
> my exchange server is setup to accept clear text, and anonymous OK (even
> though I'm not trying to be anon).
>
> here's the thing - I have no idea what is going on between ldapsearch,
> and my exchange server.
>
> I've tried netcat'g the host:389 to see if I could evesdrop, but to no
> avail.
> I've tried telnet'g to the host:389, and DO connect, but have no idea
> what the communication should look like, and I get no responses at all
> regardless of what I try.
>
> ldap is definitely running - I can run custom queries, and
> ldap://queries thru my windows browser with success.
>
> the problem IS debian authenticating w/ the exchange server.
>
> Can someone tell me some way to diagnose just what is happening in this
> communication between ldapsearch & ldap server ???
> Or can someone point me / show me how a structured communication to
> the ldap server would look like, so I can try sending it thru telnet -
> just to see if I can get it to work that way.... Then I can try & figure
> out what ldapsearch is sending...
>
> ????
>
> TIA - Bob
>
>
Bob,

I have not done this with AD; however, I have done it with Novell's eDir on a
Netware Box. After confirming what attributes where visiable with an LDAP
Browser on my windows workstation (http://www-unix.mcs.anl.gov/~gawor/ldap/),
I wrote a perl script to verify/test e-mail address verification on the eDir.

****** Perl Snippit **************
# Open Connection to the LDAP server
print "Opening a connection to $ldhost ... ";
$ldap = Net::LDAP->new($ldhost) || die "Could not connect -- $@";
print "OK\n";
#
print "Binding ... ";
# Do an anonymous bind
$mesg = $ldap->bind;
$status = $mesg->code;
$errmsg = $mesg->error;
print "Status: ($status) $errmsg ";
#
# Do a search for each e-mail address
foreach $addr (@eaddrs) {
print "Looking for $addr ... ";
$filter = "(\&(objectclass=inetOrgPerson) (mail=".$addr."))";
$mesg = $ldap->search(base=>$ogunit, filter=>$filter, attrs=>@attribs );
$status = $mesg->code; $errmsg = $mesg->error; print "Status: ($status)
$errmsg "; $ecnt = $mesg->count; print "found $ecnt entries\n"; if(
$ecnt > 0 ) { # Found email address in directory
foreach $entry ($mesg->entries) {
$dn = $entry->dn;
$spam = $entry->get_value('SpamControl');
print "\t$dn \tSpamControl: $spam ";
@email = $entry->get_value('mail');
$flag=0;
foreach $alias (@email) {
if( $flag ) { print "\n\t Alias: $alias"; }
else {
print "\n\tAddress: $alias";
$flag=1;
}
}
}
}
else { print "failed. Does not exist in the directory\n\n"; }
}
******** End of Perl Snippit ***************

Once, I was able to verify email addresses with the perl; I adjusted Exim4's
configuration like so ... (You need to have the "heavy" exim4 package)

#### CWR Attempt at LDAP E-Mail Address verification
#### accept any "group" or "mail list" address which are not in the
#### eDirectory
accept
domains = kimberly.uidaho.edu
recipients = lsearch;CONFDIR/acceptable.lst

#### check for individual e-mail addresses which are in the eDirectory
deny
domains = kimberly.uidaho.edu
message = Administrative prohibition - unable to validate recipient
condition = ${lookup ldapm{ \
ldap://###.###.###.###/o=ui?mail?sub?\
(mail=${quote_ldap:$local_part@$domain})} {0} {1} }

####
#### CWR Attempt at LDAP -- discard

The key for me, was using the perl script and ldap browser to verify what
attributes where visiable when doing an anonymous bind to ldap _and_ how to
code the request.

I how this helps a bit. My setup is a Novell Netware server hidden from the
outside world and a Debian ETCH server visable to the outside world running
exim.

-- cheers Clarence --
Clarence W. Robison, P.E.

208-423-6610

--

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Google
  • Yahoo
  • Technorati
0
‹ removing kde [OT] LaTeX ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:02.

Apologies for any duplicate posts.... I'm reading this thread on google (groups), and I apparently can't reply/post from there....reply to s.:hi s.yes, I have...(google searches) but none of my searches has revealed any information that actually works.
All I can get out of exim is "Unrouteable address". no matter what I've tried.The ppt presentation you referred to looked like it had potential, but not 1 single LDAP query in that ppt seemed to work correctly on my windows browser. I figured if the information in there, which DID look fairly straightforward, doesn't work right, then how can I trust anything that follows.?
I certainly accept the notion that the problem is ME. But I can't seem to find a place to start diagnosing what I'm doing wrong... I can't seem to get even the simplest of things to work correctly when it comes to using exim w/ ldap.
I consider myself expert, when it comes to most things *nix. But working with ldap has been the most frustrating experience i've had in a long time.The closest thing to ANY success i've had is with ldapsearch as follows:
ldapsearch -h exchange.domain.com -D "CN=exim,CN=Users,DC=domain,DC=com" -x -w "password" -b "CN=Users,DC=domain,DC=com" "(memberOf=CN=Users,DC=domain,DC=com)"
this command at least seems to communicate w/ the exchange server, and tells me "invalid credentials".I can only ASSUME that means a problem w/ the user/password, but I KNOW that info IS valid.
I don't have a clue how to start figuring out what's wrong with credentials I KNOW are good.is debian REALLY talking to my exchange server? have no clue...it would help if I could telnet to my exchange server & submit a query & see it work... but no one can
even tell me IF this can be done!?!?

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:02.

CR - TX for your reply, your script & data was very useful.I've made some progress... I still don't know why I can't authenticate using my admin account / password (and NOTHING I do seems to resolve this).
BUT - with my improved understanding of the structure of the ldapsearch command (TX SK);and a re-newed attempt to access the ldap server anonymously (CR ;_); it appears that I can now connect to my exchange server.
now, my problem is I still can't run any queries, I only get:# search resultsearch: 2result: 2 Protocol errorAfter much googling on ldap protocol error 2, I'm again stuck.I found hits that referenced a "-C" option to ldapsearch; which doesn't seem to apply anymore, since I find no doc's on -C in the manpage.
I found another hit that might indicate that ldap V3 and exchange 5.5 might produce a protocol error, but I've started using -P2 anyway, with no different response.although this error is returned from the exchange server, the problem has GOT to be with ldapsearch / debian. I CAN do sucessful queries from windows environment.
anyone got more ideas?TIA! (again) - Bob

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:03.

OK;I agree - problem is DEFINITELY ldap authentication; forget about exim....my exchange server is setup to accept clear text, and anonymous OK (even though I'm not trying to be anon).here's the thing - I have no idea what is going on between ldapsearch, and my exchange server.
I've tried netcat'g the host:389  to see if I could evesdrop, but to no avail.I've tried telnet'g to the host:389, and DO connect, but have no idea what the communication should look like, and I get no responses at all regardless of what I try.
ldap is definitely running - I can run custom queries, and ldap://queries thru my windows browser with success.the problem IS debian authenticating w/ the exchange server.Can someone tell me some way to diagnose just what is happening in this communication between ldapsearch & ldap server ???
Or can someone point me / show me   how a structured communication to the ldap server would look like, so I can try sending it thru telnet - just to see if I can get it to work that way.... Then I can try & figure out what ldapsearch is sending...
????TIA - Bob

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Stephen Patterson on Mon, 2007-12-03 09:04.

On Fri, 30 Nov 2007 05:10:07 +0100, Bob Goldberg wrote:
> I agree - problem is DEFINITELY ldap authentication; forget about exim....
>
> my exchange server is setup to accept clear text, and anonymous OK (even
> though I'm not trying to be anon).
>
> here's the thing - I have no idea what is going on between ldapsearch, and
> my exchange server.

> ldap is definitely running - I can run custom queries, and ldap://queries
> thru my windows browser with success.
>
> the problem IS debian authenticating w/ the exchange server.

You need to authenticate to the LDAP tree using a username that exists
in Active Directory, I can't remember how but I did this a few years ago
for a squid proxy.

> Can someone tell me some way to diagnose just what is happening in this
> communication between ldapsearch & ldap server ???

Wireshark or any packet sniffer should be able to show what's being
transferred, it may also be worth installing the openldap client
utilities (ldap-utils under debian) and querying the database manually
from them.

> Or can someone point me / show me how a structured communication to the
> ldap server would look like, so I can try sending it thru telnet - just to
> see if I can get it to work that way.... Then I can try & figure out what
> ldapsearch is sending...

http://www.mozilla.org/directory/standards.html may be useful but LDAP
isn't the easiest of protocols to grok manually.

--
Stephen Patterson :: :: http://patter.mine.nu/
GPG: B416F0DE :: Jabber:
"Don't be silly, Minnie. Who'd be walking round these cliffs with a gas oven?"

--

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:03.

at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange 5.5 server. This means I want exim to validate email recipients thru ldap lookups.
seems like a simple enough task, even one that many people have probably done. Can I find any examples of an exim config file that demonstrates this? NO! doc's suck. So I have no idea if my router config is even close or not. I don't think I need an acl, but i'm not sure. such a simple task, you'd think there'd already be a sample config file out there somewhere....
Having said that, I'm trying to figure out why my ldap lookup's aren't working, so that leads me down a nasty diagnostic path.1) can you do ldap queries using telnet? I seem to connect to my server fine, but every query I insert, returns nothing.
2) i'm trying to do ldap lookups using ldapsearch, and I'm not having any luck at all, and i'm getting useless error messages.3) ldap is definitely running on exchange, because an ldap://server/query entry in a browser, brings up a dialog box that will successfully search using a custom ldap string, and it all works.
4) if I can't do a simply query using ldapsearch, how in the ---- am i ever going to get exim setup correctly.... what does a valid ldapsearch command look like anyway??5) if I can't use telnet to try to diagnose what's going on - where should I start?
TIA - Bob

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:03.

On Nov 28, 8:40 pm, "s. keeling" wrote:
> Bob Goldberg :
>
>
>
> > at the end of the day, this is what I want: my debian(etch)/exim machine to
> > accept all internet Email to my domain, ignore all else, and relay on to my
> > exchange5.5 server. This means I want exim to validate email recipients
> > thruldaplookups.
>
> Have you googled "eximldap"? You appear to be reinventing the
> wheel. :-) The first hit I see is a ppt, "Using Exim WithLDAP". And
> I see FreeBSD has exim-ldap...
>

hi s.

yes, I have... but none of my searches has revealed any information
that actually works.

All I can get out of exim is "Unrouteable address". no matter what
I've tried.
The ppt presentation you referred to looked like it had potential, but
not 1 single LDAP query in that ppt seemed to work correctly on my
windows browser. I figured if the information in there, which DID look
fairly straightforward, doesn't work right, then how can I trust
anything that follows.?

I certainly accept the notion that the problem is ME. But I can't seem
to find a place to start diagnosing what I'm doing wrong... I can't
seem to get even the simplest of things to work correctly when it
comes to using exim w/ ldap.

I consider myself expert, when it comes to most things *nix. But
working with ldap has been the most frustrating experience i've had in
a long time.

The closest thing to ANY success i've had is with ldapsearch as
follows:
ldapsearch -h exchange.domain.com -D
"CN=exim,CN=Users,DC=domain,DC=com" -x -w "password" -b
"CN=Users,DC=domain,DC=com" "(memberOf=CN=Users,DC=domain,DC=com)"

this command at least seems to communicate w/ the exchange server, and
tells me "invalid credentials".
I can only ASSUME that means a problem w/ the user/password, but I
KNOW that info IS valid.

I don't have a clue how to start figuring out what's wrong with
credentials I KNOW are good.
is debian REALLY talking to my exchange server? have no clue...
it would help if I could telnet to my exchange server & submit a query
& see it work... but no one can even tell me if this can be done!?!?

--

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:04.

at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange 5.5 server. This means I want exim to validate
email recipients thru ldap lookups. seems like a simple enough task, even one that many people have probably done. Can I find any examples of an exim config file that demonstrates this? NO! doc's suck. So I
have no idea if my router config is even close or not. I don't think I need an acl, but i'm not sure. such a simple task, you'd think there'd already be a sample config file out there somewhere....
Having said that, I'm trying to figure out why my ldap lookup's aren't working, so that leads me down a nasty diagnostic path. 1) can you do ldap queries using telnet? I seem to connect to my
server fine, but every query I insert, returns nothing. 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having any luck at all, and i'm getting "invalid credential" error messages.
3) ldap is definitely running on exchange, because an ldap://server/query entry in a browser, brings up a dialog box that will successfully search using a custom ldap string, and it all works.
4) if I can't use telnet to try to diagnose what's going on - where should I start? TIA - Bob

»

LDAP - howto get linux to talk to exchange/AD

Submitted by Bob Goldberg on Mon, 2007-12-03 09:04.

at the end of the day, this is what I want: my debian(etch)/exim
machine to accept all internet Email to

my domain, ignore all else, and relay on to my exchange 5.5 server.
This means I want exim to validate

email recipients thru ldap lookups.

seems like a simple enough task, even one that many people have
probably done. Can I find any examples

of an exim config file that demonstrates this? NO! doc's suck. So I
have no idea if my router config is

even close or not. I don't think I need an acl, but i'm not sure. such
a simple task, you'd think

there'd already be a sample config file out there somewhere....

Having said that, I'm trying to figure out why my ldap lookup's aren't
working, so that leads me down a

nasty diagnostic path.

1) can you do ldap queries using telnet? I seem to connect to my
server fine, but every query I insert,

returns nothing.

2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
any luck at all, and i'm getting

useless error messages.

3) ldap is definitely running on exchange, because an ldap://server/query
entry in a browser, brings up

a dialog box that will successfully search using a custom ldap string,
and it all works.

4) if I can't do a simply query using ldapsearch, how in the ---- am i
ever going to get exim setup

correctly.... what does a valid ldapsearch command look like anyway??

5) if I can't use telnet to try to diagnose what's going on - where
should I start?

TIA - Bob

--

»
Syndicate content