Linux Debian support - LDAP - howto get linux to talk to exchange/AD

Author

LDAP - howto get linux to talk to exchange/AD

bobg.hahc@gmail.com

2007-11-28, 7:16 pm

at the end of the day, this is what I want: my debian(etch)/exim
machine to accept all internet Email to

my domain, ignore all else, and relay on to my exchange 5.5 server.
This means I want exim to validate

email recipients thru ldap lookups.

seems like a simple enough task, even one that many people have
probably done. Can I find any examples

of an exim config file that demonstrates this? NO! doc's suck. So I
have no idea if my router config is

even close or not. I don't think I need an acl, but i'm not sure. such
a simple task, you'd think

there'd already be a sample config file out there somewhere....

Having said that, I'm trying to figure out why my ldap lookup's aren't
working, so that leads me down a

nasty diagnostic path.

1) can you do ldap queries using telnet? I seem to connect to my
server fine, but every query I insert,

returns nothing.

2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
any luck at all, and i'm getting

useless error messages.

3) ldap is definitely running on exchange, because an ldap://server/query
entry in a browser, brings up

a dialog box that will successfully search using a custom ldap string,
and it all works.

4) if I can't do a simply query using ldapsearch, how in the ---- am i
ever going to get exim setup

correctly.... what does a valid ldapsearch command look like anyway??

5) if I can't use telnet to try to diagnose what's going on - where
should I start?

TIA - Bob

Johnny Rebel

2007-11-29, 1:16 am

bobg.hahc@gmail.com

2007-11-29, 7:12 pm

On Nov 28, 7:26 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> bobg.h...@gmail.com wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Hey,
>
> I don't have my notes here, but ldapsearch does work against AD. We
> are currently authenticating Peoplesoft(about 15000 users) against AD
> from a Unix system - we did all our testing on Linux of course. The
> main thing was that AD does not accept anonymous binds, so you have to
> authenticate with an AD username (like admin@domainname, I think it is
> -D), and you have to have your OU and query set up correctly. There is
> lots of examples via google. Here is but one:
>
> dapsearch -h myDCServer -D "CN=<My User Name>,CN=Users,DC=<My Domain
> Name>,DC=<My Domain Extension>" -x -W -b "CN=Users,DC=<My Domain
> Name>,DC=<My Domain Extension>" "(memberOf=CN=<My Restricted Access
> Group>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension> )"
>
> If I remember right, the -x is important as well, it is a 'simple' bind.
> I will get my notes tomorrow and see what more I can post.
>
> Hopefully that gets you started.
>
> JR.
>

JR -
hi & TX M's for U'r reply!

your command line gave me the best results to date! - "invalid
credentials" !
Never thought I'd be so happy to see such an error message! At last,
it looks like I'm at least talking to the AD!!!

I know the user/password I'm using are good... in fact I've tried 2
known working accounts. So I'm not sure why i'm getting that error...

I had searched w/ google, but I was unable to find an example that
provided me with such a wonder message (one that actually made sense,
and indicated an attempt to communicate w/ the AD

Part of my confusion is probably due to the fact that I read that the -
h was deprecated for -H; and so I was trying to convert everything....
also, many of the hits i got related to perl, which i'm not interested
in.... Further, I didn't realize i needed to use both -h & -b
together...

that's why I always say a working example speaks thousands of words of
explanation!

So now i just need to figure out my credential problem, and then i can
START to try to craft a working router for exim ;O)

Bob

Johnny Rebel

2007-11-30, 1:19 am

bobg.hahc@gmail.com wrote:
> On Nov 28, 7:26 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
<snip[vbcol=seagreen]
>
> JR -
> hi & TX M's for U'r reply!

No problems, I feel your pain.

I just went through this whole
exercise on a very tight timeline....

>
> your command line gave me the best results to date! - "invalid
> credentials" !
> Never thought I'd be so happy to see such an error message! At last,
> it looks like I'm at least talking to the AD!!!

Glad to hear it! I suspect you don't have your base pointing to the
right place. From my notes, this is an example:

ldapsearch -x -h hostname.domain.ca -D JR@addomain.ca -W -b
" OU=Users,ou=pssu,ou=accounts,dc=pssu,dc=
ca" displayname

I don't remember if this was done on AIX or Linux - the commands were
slightly different. Up to the "displayname" part, is the "bind" info -
this is how you access the directory with the query portion. Here is
another example:

ldapsearch -LLL -x -h 10.65.224.130 -D jr@addomain.ca -W -b
OU=Users,OU=Accounts,DC=addomain,DC=ca '(cn=*JR*)' cn

Which shows the query portion better 'cn=*JR*)' cn. There are some
good chapters on ldap queries in the OReilly weasel (?) book as seen
here: http://www.oreilly.com/catalog/ldapsa/toc.html

>
> I know the user/password I'm using are good... in fact I've tried 2
> known working accounts. So I'm not sure why i'm getting that error...

As I mentioned, I believe (going by my own mistakes) the issue is most
likely with the '-b' - this is the full path to the user in your AD.
Also could be that you are not using the '@domain' portion on the '-D' -
this is important as well.
>
> I had searched w/ google, but I was unable to find an example that
> provided me with such a wonder message (one that actually made sense,
> and indicated an attempt to communicate w/ the AD

I used google quite a bit, and the 'groups' section is (as always) the
place to look for stuff.

Bit's and pieces everywhere.

>
> Part of my confusion is probably due to the fact that I read that the -
> h was deprecated for -H; and so I was trying to convert everything....
> also, many of the hits i got related to perl, which i'm not interested
> in.... Further, I didn't realize i needed to use both -h & -b
> together...

Well, you do need to specify both! The -h for your directory server,
and the -b for the path to bind with. Funny you should mention the perl
hits - I was playing around with PERL at the time trying to learn it and
actually put together (from examples) a script to test my accounts
against multiple directory servers! I will include it below - maybe you
will get some use out of it. (note: I am not a PERL programmer, it is
ugly... but it works for me).

>
> that's why I always say a working example speaks thousands of words of
> explanation!

I agree, so hopefully my post will get found and used in the future!

>
> So now i just need to figure out my credential problem, and then i can
> START to try to craft a working router for exim ;O)

See above!

If you want to get a little more fancy (like I did), then
this may be of interest to you as well. LDAP as I am sure you know is
clear text comms, I used stunnel (.org) to set up an ssl proxy between
AIX and Windows Domain controllers. This had many advantages over
straight ldap (it is ldaps) mainly a secure pipe. We also fixed
Peoplesoft (billion dollar closed product) issues where if you set it up
for ldaps, it will fall back to ldap. How stupid is that? So, we set up
an ldaps proxy on port 389 (ldap) and pushed it to 636 on the AD server.
Problem solved (not to mention we can do about 20,000 logins a minute -
more than Peoplesoft can even come close to). You need certs at both
ends, and that is about it. It is an extra small little piece that adds
that final touch to things. You could direct many apps through that,
and only need to manage one ssl cert on the proxy (another bonus). This
worked for us due to private vlans and routing issues as well....
(traffic is clear up to the proxy which is still on private VLAN, then
routed out of private VLAN to AD server encrypted.). Just a thought for
you!

Hope all this helps! Oh ya -- here is the PERL script
(servernames/ip's changed of course...)

JR.
<snip>
# Taken from examples on CPAN and XXXXed up from there - IANAPP. (I Am
# Not A PERL Programmer)
#!/usr/bin/perl

use warnings;
#use strict;

use Net::LDAP;
my $flag;
my $ldap;
my $mesg;
my $entry;
my $filter;

my $account;
my $bindstring;
my @accounts= qw{username01};
#my @accounts= qw{username01 username02 username03};

# bind account passwords. Uncomment MyEvilpassword
# to lock accounts.
#
my $pwd='mypassword';
#my $pwd='MyEvilpassword';

# FORCES DC's.
#
my $DC1=qw{ad_server_hostname01_fqdn};
my $DC2=qw{ad_server_hostname02_fqdn};
my $DC3=qw{ad_server_hostname03_fqdn};

# DC Flag
my $DC = $DC3;

{

foreach $account (@accounts){

# Create our connection
#
$ldap = Net::LDAP->new( "$DC" ) or die "$@";

# bind to a directory with dn and password
#
$bindstring=" CN=$account,OU=Accounts,DC=addomain,DC=c
a";

# Do the actual bind
#
$mesg = $ldap->bind( "$bindstring",
password => $pwd
);

# Try to perform a search
#
$mesg = $ldap->search( base => "OU=Accounts,DC=addomain,DC=ca",
#filter => "sAMAccounttype=805306368",
filter => "cn=ST*",
#attrs => ['sAMAccounttype','mail']
attrs => ['sAMAccountname','mail']
#attrs => ['*']
);

# Print out what we get
#
$mesg->code && die $mesg->error;
foreach $entry ($mesg->entries) { $entry->dump; }

# Take down the session
#
$mesg = $ldap->unbind;
#print
}
exit 0;
}#endmain#

<snip>
>
> Bob

--

Bill will have to take Linux from my cold, dead flippers.

-Tux.

bobg.hahc@gmail.com

2007-11-30, 1:19 am

On Nov 29, 7:14 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> Glad to hear it! I suspect you don't have your base pointing to the
> right place. From my notes, this is an example:
>
> ldapsearch -x -h hostname.domain.ca -D J...@addomain.ca -W -b
> " OU=Users,ou=pssu,ou=accounts,dc=pssu,dc=
ca" displayname
>
> I don't remember if this was done on AIX or Linux - the commands were
> slightly different. Up to the "displayname" part, is the "bind" info -
> this is how you access the directory with the query portion. Here is
> another example:
>
> ldapsearch -LLL -x -h 10.65.224.130 -D j...@addomain.ca -W -b
> OU=Users,OU=Accounts,DC=addomain,DC=ca '(cn=*JR*)' cn
>
<snip>
>
> JR.

TX again, JR; (lots of good stuff in your last post)

this last post certainly got me thinking, and trying a zillion more
variations on syntax.... to the point where I've now re-read the man
page at least a couple dozen times

.

so - let me see if I've got any of this correct: (so building my
command I have

ldapsearch -h exchange.domain.com (or IP)
this is 1 of the only parts of the command that I have 100%
confidence is correct (lol).

the -D parm, is who/what account/ I connect to the exchange server
as.
so I've tried the following: ( after ton's more googling, I'm not
sure which is most correct, or if none are

-D " CN=administrator,CN=Users,DC=domain,DC=c
om" - using this
syntax, I note a delay when the command
is executed, making me think it's actually talking to the exchange
server.
-D "administrator@domain.com" - tried this with & w/o the quotes.
There is NO delay, the command fails right away.
-D "domain\administrator" - tried with & w/o quotes, and with double
\\; this causes failure immediately also.

-x -W this is the 2nd part of the command I have faith in - LOL
my ldap is definitely setup to accept plain text, and anonymous
access - not that i'm even trying anon.....

the -b parm is the "base" - not sure i fully understand or even care
anymore what this means.
I've tried:
-b "DC=domain,DC=com"
-b "OU=Users,OU=Accounts,DC=domain,DC=com"
I'm not sure that either of these choices makes a difference, or
that either is wrong.

-s sub "(uid=*)" cn
this is the 3rd and last part of the command that I have confidence
is correct LOL - ROTF

So - you see I really only have confusion over 2 parts of the command,
and of the 2, I believe only the -D is critical at this moment. But
I've tried zillions of permutations, with no success. only "Invalid
credentials".... which I'm now VERY tired of seeing.... ;o)

So - I'm back to wondering just what the heck is really happening. Am
I really talking to the server the times I get an immediate
response... beats me.... Is the ldap server REALLY accepting clear
text - should be, but i don't know for sure.... Is there some way I
can watch/see the exact communication exchange between ldapsearch &
exchange?
(WITHOUT getting a protocol analyzer) I've tried netcat'g 389 to the
host, to no avail.

I setup a SECOND exchange server, and tried to ldapsearch it.
if I run ldapsearch -h exchange2.dom.com -D
" cn=administrator,cn=users,dc=domain,dc=c
om" <snip> "(uid=*)" ....
I ACTUALLY GET A RESPONSE!
there is only 1 record - the administrator record; but ldapsearch
reply's:
# search result
search: 2
result: 2 Protocol error

# numResponses: 1

so - it LOOKS like it works - sortof, except there's no RESULTS! ?? it
says there's a protocol error, but i'm not sure that's important right
now.

at this point, there's only 1 single thing i know -
I'm NOT authenticating to my main ldap server. I have no idea why.
It's setup for clear text, and anonymous OK;
but NOTHING I do will get me in.

any other words of wisdom?
TIA - Bob

Johnny Rebel

2007-11-30, 7:16 am

bobg.hahc@gmail.com wrote:
> On Nov 29, 7:14 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> <snip>
>
> TX again, JR; (lots of good stuff in your last post)

No probs!

>
> this last post certainly got me thinking, and trying a zillion more
> variations on syntax.... to the point where I've now re-read the man
> page at least a couple dozen times

.

Yep, that's what I did...

>
> so - let me see if I've got any of this correct: (so building my
> command I have

> ldapsearch -h exchange.domain.com (or IP)
> this is 1 of the only parts of the command that I have 100%
> confidence is correct (lol).

Looks ok to me.

>
> the -D parm, is who/what account/ I connect to the exchange server
> as.
> so I've tried the following: ( after ton's more googling, I'm not
> sure which is most correct, or if none are

> -D " CN=administrator,CN=Users,DC=domain,DC=c
om" - using this
> syntax, I note a delay when the command
> is executed, making me think it's actually talking to the exchange
> server.
> -D "administrator@domain.com" - tried this with & w/o the quotes.
> There is NO delay, the command fails right away.
> -D "domain\administrator" - tried with & w/o quotes, and with double
> \\; this czauses failure immediately also.

Looks ok - the only one that worked for me was the
'administrator@domain' Try the 'Windows 2000 domain' way - with just
the @domain vs the @domain.ca portion... Hum.

>
> -x -W this is the 2nd part of the command I have faith in - LOL
> my ldap is definitely setup to accept plain text, and anonymous
> access - not that i'm even trying anon.....

Yep, these are needed.

>
> the -b parm is the "base" - not sure i fully understand or even care
> anymore what this means.
> I've tried:
> -b "DC=domain,DC=com"
> -b "OU=Users,OU=Accounts,DC=domain,DC=com"
> I'm not sure that either of these choices makes a difference, or
> that either is wrong.

Yep, this is the path in the directory to the user. In my instance,
under 'AD users and computers' (ADUaC)it looked like: domain.ca -->
Accounts --> users for instance, and my 'bind account' was under that OU
(users). You have to tell ldapsearch exactly how to 'get' to your user.
Do you have a separate OU or the 'stock' AD install.... Try creating a
new OU or two under your domain - not sure if the builtin
groups/listings of 'users' is an OU or not... could be your issue (not
sure, I did not try that). Under ADUaC an OU has a different little
icon thingy.... I /think/ that the users have to be under a 'globally'
accessable user in the directory - the built ins are local aren't they?
AD is pretty screwy.

>
> -s sub "(uid=*)" cn
> this is the 3rd and last part of the command that I have confidence
> is correct LOL - ROTF

reading the man page, this is the sort field, never used it. uid may
not exist in your directory - that is a Unix field.

>
> So - you see I really only have confusion over 2 parts of the command,
> and of the 2, I believe only the -D is critical at this moment. But
> I've tried zillions of permutations, with no success. only "Invalid
> credentials".... which I'm now VERY tired of seeing.... ;o)

Well, it is either the password, the account name, or the path in the
directory to the user. It really shouldn't/couldn't be anything else
that I can see.

>
> So - I'm back to wondering just what the heck is really happening. Am
> I really talking to the server the times I get an immediate
> response... beats me.... Is the ldap server REALLY accepting clear
> text - should be, but i don't know for sure.... Is there some way I
> can watch/see the exact communication exchange between ldapsearch &
> exchange?
> (WITHOUT getting a protocol analyzer) I've tried netcat'g 389 to the
> host, to no avail.

Yep, you could just run tcpdump in another window or something, it may
be useful to see where/what it is trying to do. If you can ping the
server, I would say you are talking to it.

>
> I setup a SECOND exchange server, and tried to ldapsearch it.
> if I run ldapsearch -h exchange2.dom.com -D
> " cn=administrator,cn=users,dc=domain,dc=c
om" <snip> "(uid=*)" ....
> I ACTUALLY GET A RESPONSE!
> there is only 1 record - the administrator record; but ldapsearch
> reply's:
> # search result
> search: 2
> result: 2 Protocol error
>
> # numResponses: 1
>
> so - it LOOKS like it works - sortof, except there's no RESULTS! ?? it
> says there's a protocol error, but i'm not sure that's important right
> now.

That would probably be your uid=* search - probably doesn't exist.
Start off with cn=* - I *know* that exists!

>
> at this point, there's only 1 single thing i know -
> I'm NOT authenticating to my main ldap server. I have no idea why.
> It's setup for clear text, and anonymous OK;
> but NOTHING I do will get me in.

Are you sure it is set up for anonymous? Windows systems by default do
not allow anonymous binds... I hear it is a pain to do so. It is clear
text if you are not using ssl, for sure. Based on your 'anonymous'
comment- an ldap query goes like this: you first have to bind to the
directory with authentication (what you are trying to do with the
admin@domain account:admin is cn=administrator, ou=users, dc=domain,
dc=ca) once you successfully bind to the directory, then your query
goes, results are passed back, and the connection is closed. Your
admin@domain account is only binding to the directory, and has
practically nothing to do with the query. The PERL code I posted shows
my statements here a little better. Just thought I would clarify just
in case!

>
> any other words of wisdom?

Lol! Hopefully the above is 'words of wisdom' ! heheheh...

> TIA - Bob
>

--

Bill will have to take Linux from my cold, dead flippers.

-Tux.

bobg.hahc@gmail.com

2007-11-30, 7:12 pm

On Nov 30, 5:03 am, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
>
<snip>
>
> Yep, this is the path in the directory to the user. In my instance,
> under 'AD users and computers' (ADUaC)it looked like: domain.ca -->
> Accounts --> users for instance, and my 'bind account' was under that OU
> (users). You have to tell ldapsearch exactly how to 'get' to your user.
> Do you have a separate OU or the 'stock' AD install.... Try creating a
> new OU or two under your domain - not sure if the builtin
> groups/listings of 'users' is an OU or not... could be your issue (not
> sure, I did not try that). Under ADUaC an OU has a different little
> icon thingy.... I /think/ that the users have to be under a 'globally'
> accessable user in the directory - the built ins are local aren't they?
> AD is pretty screwy.
>
>
>
> Are you sure it is set up for anonymous? Windows systems by default do
> not allow anonymous binds... I hear it is a pain to do so. It is clear
> text if you are not using ssl, for sure. Based on your 'anonymous'
> comment- an ldap query goes like this: you first have to bind to the
> directory with authentication (what you are trying to do with the
> admin@domain account:admin is cn=administrator, ou=users, dc=domain,
> dc=ca) once you successfully bind to the directory, then your query
> goes, results are passed back, and the connection is closed. Your
> admin@domain account is only binding to the directory, and has
> practically nothing to do with the query. The PERL code I posted shows
> my statements here a little better. Just thought I would clarify just
> in case!
>
>
>
> Lol! Hopefully the above is 'words of wisdom' ! heheheh...
>

ok JR, ready for the latest

few easy things:
uid=* does work, but I will now use cn=*, as I agree w/ you - it's
more universal.
I'm using the -s option, not -S; manpage shows -S is for sorting; -s
is for scope.
I'm back to trying to talk to my original exchange server, and have
found that although there is NO WAY i have been able to authenticate
to it, IF I access it anonymously - it responds!!!

So no, I'm trying to figure out the protocol error 2.

I believe you are right, and that the problem must be in my -b
parameter.
So; I did an export from the AD of my record, and it shows my
distinguishedname as:
CN=givenname surname,CN=Users,DC=domain,DC=com
I also found a reference to: OU=Domain Controllers,DC=domain,DC=com

I've now tried zillions of variations of my -b, based on this
information; again with no success.
I'm not sure if the ORDER of items in the -b matter... but I've tried
changing that too...

So - at the end of the day -
in windows; all i have to do is enter:
ldap://exchange.domain.com/??sub?(cn=*)
into my browser window, and bing - results, without delay, or grief.

in linux..... i can't get anything to work to save my sole....

this has to be the 1 SINGLE time in my life, that doing something from
windows seems to be easier than from *nix ! LOL ;o)

more words of wisdom? (and yes, those WERE before as well

TIA - Bob

Johnny Rebel

2007-11-30, 7:12 pm

bobg.hahc@gmail.com wrote:
> On Nov 30, 5:03 am, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> <snip>
>
> ok JR, ready for the latest

Bring it on.

>
> few easy things:
> uid=* does work, but I will now use cn=*, as I agree w/ you - it's
> more universal.
> I'm using the -s option, not -S; manpage shows -S is for sorting; -s
> is for scope.

Sorry, you are right - it was early and I was still sipping my coffee.
Ditch the -s and use the least possible parameters required.

> I'm back to trying to talk to my original exchange server, and have
> found that although there is NO WAY i have been able to authenticate
> to it, IF I access it anonymously - it responds!!!

Hum, so exchange allows anonymous? Cool. Will have to hit some of
those stupid boxes at work.

But, it should be similar query with the
exception of the -b, -D and -w.

>
> So no, I'm trying to figure out the protocol error 2.

Hum. Did you check the openldap website on that one??

>
> I believe you are right, and that the problem must be in my -b
> parameter.
> So; I did an export from the AD of my record, and it shows my
> distinguishedname as:
> CN=givenname surname,CN=Users,DC=domain,DC=com

This is what you want... I wonder if the space is screwing you up? In
my setup, the cn/windows account has no spaces (bad practice IMHO). I
assume this is your username right?

> I also found a reference to: OU=Domain Controllers,DC=domain,DC=com

Yep, blissfully ignore it.

>
> I've now tried zillions of variations of my -b, based on this
> information; again with no success.
> I'm not sure if the ORDER of items in the -b matter... but I've tried
> changing that too...

Based on what you wrote above, that should be your -b -- without the
username -- that goes into -D so something like "-D username@domain -b
CN=Users,DC=domain,DC=com" from what I can see (it is the full path to
the user - but not including the user). So if you have spaces in your
username, this could require some fancy escaping or somthing...

>
> So - at the end of the day -
> in windows; all i have to do is enter:
> ldap://exchange.domain.com/??sub?(cn=*)
> into my browser window, and bing - results, without delay, or grief.

Interesting... Not sure why that works apparently anonymously. Hum.

>
> in linux..... i can't get anything to work to save my sole....

Hopefully only ldap!

I had problems with it as well, but did
eventually get it, now it works like a charm. Once I got that first
response, I took it from there and played.

>
> this has to be the 1 SINGLE time in my life, that doing something from
> windows seems to be easier than from *nix ! LOL ;o)

Really? But is it as fun?

>
> more words of wisdom? (and yes, those WERE before as well

> TIA - Bob

Hopefully those are above!

JR.

--

Bill will have to take Linux from my cold, dead flippers.

-Tux.

Johnny Rebel

2007-11-30, 7:12 pm

bobg.hahc@gmail.com wrote:
> On Nov 30, 5:03 am, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> <snip>
>
> ok JR, ready for the latest

>
> few easy things:
> uid=* does work, but I will now use cn=*, as I agree w/ you - it's
> more universal.
> I'm using the -s option, not -S; manpage shows -S is for sorting; -s
> is for scope.
> I'm back to trying to talk to my original exchange server, and have
> found that although there is NO WAY i have been able to authenticate
> to it, IF I access it anonymously - it responds!!!
>
> So no, I'm trying to figure out the protocol error 2.
>
> I believe you are right, and that the problem must be in my -b
> parameter.
> So; I did an export from the AD of my record, and it shows my
> distinguishedname as:
> CN=givenname surname,CN=Users,DC=domain,DC=com
> I also found a reference to: OU=Domain Controllers,DC=domain,DC=com
>
> I've now tried zillions of variations of my -b, based on this
> information; again with no success.
> I'm not sure if the ORDER of items in the -b matter... but I've tried
> changing that too...
>
> So - at the end of the day -
> in windows; all i have to do is enter:
> ldap://exchange.domain.com/??sub?(cn=*)
> into my browser window, and bing - results, without delay, or grief.
>
> in linux..... i can't get anything to work to save my sole....
>
> this has to be the 1 SINGLE time in my life, that doing something from
> windows seems to be easier than from *nix ! LOL ;o)
>
> more words of wisdom? (and yes, those WERE before as well

> TIA - Bob

Just found the stuff below: could be related...

From the man page:

-P 2|3 Specify the LDAP protocol version to use.

My system was Windows ""Advanced""(read:expensive) server 2003...

http://www.openldap.org/doc/admin24...rotocol%20error

C.1.20. ldap_bind: Protocol error

There error is generally occurs when the LDAP version requested by the
client is not supported by the server.

The OpenLDAP Software 1.x server only accepts version 2 LDAP Bind
requests. Note that 1.x server expects U-Mich LDAP, an LDAPv2 variant,
to be used. This variant is sometimes referred to as LDAPv2+.

The OpenLDAP Software 2.x server, by default, only accepts version 3
LDAP Bind requests but can be configured to accept a version 2 LDAP Bind
request. Note that the 2.x server expects LDAPv3 [RFC4510] to be used
when the client requests version 3 and expects a limited LDAPv3 variant
(basically, LDAPv3 syntax and semantics in an LDAPv2 PDUs) to be used
when version 2 is expected. This variant is also sometimes referred to
as LDAPv2+, but differs from the U-Mich LDAP variant in a number of ways.

Use of LDAPv3! See also: (Xref) How to configure slapd(8) with LDAPv2
support (for legacy clients)?.

--

Bill will have to take Linux from my cold, dead flippers.

-Tux.

Kees Theunissen

2007-12-03, 1:17 am

bobg.hahc@gmail.com wrote:
> at the end of the day, this is what I want: my debian(etch)/exim
> machine to accept all internet Email to
>
> my domain, ignore all else, and relay on to my exchange 5.5 server.
> This means I want exim to validate
>
> email recipients thru ldap lookups.

I'm doing something similar.
I'm running two Linux boxes with sendmail in front of Exchange 2003.
The sendmail systems use MimeDefang/SpamAssassin/ClamAv to protect
against spam and viruses. And of course sendmail will validate
the recipient addresses before accepting a message.

But I don't want to query the exchange server for each address
that is tried by a spammer or an email address harvesting bot.
I'm using a shell script to extract valid addresses from the
Active Directory and build a local table with valid addresses to be
used by sendmail. That script is launched by cron on a regular basis.

This way I'm lowering the load on the Exchange server and reducing
the delays and overhead on the sendmail systems to validate recipient
addresses. But that is not my main argument. I'm in a domain with a
few hundreds of users and about five spam messages arriving each minute.
My servers can handle that load easily. But using local tables by
sendmail allows me to validate addresses, and queue accepted messages,
even when the Exchange server is down.

Below is the part of my (bash) shell script that extracts valid
email addresses from Active Directory (Windows 2003 domain with
Exchange 2003 enterprise).

########################################
########################
# Get valid exchange addresses in "ldif" format.
# Valid addresses are:
# -- users with an exchange mailbox
# -- mail enabled groups
# -- distribution lists
# -- mail enabled public folders.

if ! tempfile=`mktemp -p .`
then
echo "Error creating temporary file" >&2
echo "Aborting" >&2
exit 1
fi

if ! ldapsearch -H ldap://servername:3268 \
-D "unprivileged_user@my_domain.tld" \
-y ./passwd -b DC=my_domain,DC=tld -x -LLL \
'(&(!(cn=SystemMailbox{*}))
(!(showInAdvancedViewOnly=TRUE))
(!(msExchHideFromAddressLists=TRUE))
(mailnickname=*)
(|(&(objectCategory=person)
(objectClass=user)
(|(homeMDB=*)(msExchHomeServerName=*))
)
(objectCategory=group)
(objectCategory=msExchDynamicDistributio
nList)
(objectCategory=publicFolder)
)
)' proxyaddresses sAMAccountName >$tempfile
then
rm -f $tempfile
echo "Error extracting exchange addresses." >&2
echo "Aborting." >&2
exit 1
fi

# Unfold long lines that are folded in the ldapsearch
# output.

if ! tr '\n' '\t' < $tempfile \
| sed -e 's/\t //g' \
| tr '\t' '\n' > output_file
then
rm -f $tempfile
echo "Error unfolding exchange output lines." >&2
echo "Aborting." >&2
exit 1
fi
########################################
########################

Some notes:
-- I'm using a password file (-y ./passwd) with very restricted
access rights to supply a password to ldapsearch. I don't like
the idea to give a password on the command line because 'ps'
-run with the right options- will show the complete command line.
Of course normal users are not allowed to logon to this system,
but even then...
The password file contains _only_ the password to be used,
without trailing newline.
-- I'm hiding addresses that are not visible to exchange users
with:
(&(!(cn=SystemMailbox{*}))
(!(showInAdvancedViewOnly=TRUE))
(!(msExchHideFromAddressLists=TRUE))
...
)
In addition to that my script uses a block list to hide several
addresses to external senders. Think about valid group addresses,
distribution lists and public folders that are supposed not to
be used by external senders.
-- For personal email addresses I'm testing for
"(|(homeMDB=*)(msExchHomeServerName=*))".
That is because we often have users without a local email address.
I'm working at a physics lab, and often we have guest users.
These guests need a valid AD account to access local resources,
they don't need a local email address, but we want their external
addresses visible for internal communication. So we include their
external email addresses in active directory without creating
an exchange mailbox. Although (mailnickname=*) is true for those
guests, we don't want to relay messages from external senders
directed to them.
-- The script requests the fields "proxyaddresses" and "sAMAccountName"
from AD. For email address validation only the "proxyaddresses"
would be needed. I'm running this script in a mixed linux/unix and
windows environment and I need the "sAMAccountName" to do some
validation checks between exchange addresses and the linux/unix
users/aliases.
-- Long output lines might be folded by ldapsearch by inserting a
newline and a space in the output.
My script unfolds these lines by:
1) replacing all newlines with tabs by using "tr",
2) deleting all tab/space sequences by using "sed",
3) replacing all remaining tabs with newlines by using "tr".
Note that the original ldapsearch output doesn't contain any tabs.
The above procedure works well in my environment (a small AD domain
with only a few hundreds of users). You should be aware that action
1) above transfers the whole "ldapsearch" output into a single line.
This line will be processed by "sed" in 2). In my environment with
a small user base this will be fine. But in large domains this might
hit a maximal line length of "sed". In general it might be better to
use PERL (not limited by an arbitrary line length limit) to do the
unfolding, or to use some other algorithm to process consecutive
lines in the "ldapsearch" output for each single user.

Although this doesn't directly answer your question -I'm certainly
working in a different environment- I hope that this will give you some
ideas to attack your problem; its not that different after all.

Regards,

Kees.

--
Kees Theunissen

bobg.hahc@gmail.com

2007-12-04, 7:12 pm

On Nov 30, 6:40 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
>
> Bring it on.

careful what U ask for :-)
boy, JR, I really appreciate all of your help; I'm gonna owe you a big
honking drink of something!

>
>
> Sorry, you are right - it was early and I was still sipping my coffee.
> Ditch the -s and use the least possible parameters required.

I too would normally agree with this philosophy. However, if I submit
a (from windows browser)
ldap://exchange.domain.com/??sub?(cn=*) - this works; but
ldap://exchange.domain.com/???(cn=*) - does not work. So my
ASSUMPTION is that I need the -s parm.

<snip>
>
> Hum. Did you check the openldap website on that one??
>

I've spent extensive amounts of time browsing various information,
hoping for a lite bulb to go on or off...

Now, let me ask a dumb question - something you said in your next
post, causes me to ask (or state):
I'm not running openldap server on my debian box. I'm not running any
ldap server on my debian box.
ldapsearch as a client, should talk to the ldap server on my exchange
server.... right?

>
>
> This is what you want... I wonder if the space is screwing you up? In
> my setup, the cn/windows account has no spaces (bad practice IMHO). I
> assume this is your username right?

sorry - I should have been specific - that is NOT my user name; that's
display name, or whatever you like to call that. I think my user name
is available under "mailnickname" or something similiar.

>
>
> Yep, blissfully ignore it.

thank g-d for small favors - don't have to tell me twice ;-)

>
>
> Based on what you wrote above, that should be your -b -- without the
> username -- that goes into -D so something like "-D username@domain -b
> CN=Users,DC=domain,DC=com" from what I can see (it is the full path to
> the user - but not including the user). So if you have spaces in your
> username, this could require some fancy escaping or somthing...

nope_-_no_spaces_in_user_names_-_I_DESPISE_spaces!
_I_wouldn't_even_use_them_in_sentences_i
f_I_could_get away with
it

(upper case also.... I like everything in unix lower-case,
with no spaces ;o) lol

>
>
> Interesting... Not sure why that works apparently anonymously. Hum.
>

now I do have a checkbox in exchange checked, that says allow anon...
And - I also tried this from a non-authenticated windows PC on the
LAN, and it also works apparently anonymously.

>
>
>
> Hopefully only ldap!

I had problems with it as well, but did
> eventually get it, now it works like a charm. Once I got that first
> response, I took it from there and played.
>

I've had problems with exim as well... but i figured that w/o ldap,
those are secondary...
If I eliminate exim / ldap, then almost every other problem i've had
in unix has been resolvable in hours, not days :-)

and I should point out, that I've setup sendmail (so i'm not a
complete idiot) in the past, and got it working no problems (not w/
ldap). I'm using exim here because it's supposed to be more secure,
and LOL - easier to setup.

The exim doc's are very confusing - which is to say, when they make
reference to something, they don't REALLY explain exactly what that
something is... I'm left to ASSUME I think I know what it is, because
it APPEARS obvious. LOL

case in point - I'm trying to get exim running without ldap, while I
work on ldap, and am having trouble getting it to route stuff to
exchange. I'm not even 100% sure which config file should get my
custom router script. but enuf of this for now

>
>
> Really? But is it as fun?

nothing is as fun as unix! - with the exception of ldap & exim,
sorting out problems in *nix is usually fun. I won't use "sorting out
problems" with windows, because IMHO "sorting out problems" refers to
exceptions.
"sorting out problems" with windows is the NORMAL mode of operation,
and it is almost NEVER fun...
IOW: windows IS usually the problem. ;) LOL

>
> Hopefully those are above!

>
> JR.

as always -

> --
>
> Bill will have to take Linux from my cold, dead flippers.
>
> -Tux.

AMEN to that brother!!!

Bob

bobg.hahc@gmail.com

2007-12-04, 7:12 pm

On Dec 2, 7:50 pm, Kees Theunissen <theun...@rijnh.nl> wrote:
> bobg.h...@gmail.com wrote:
>
> I'm doing something similar.
> I'm running two Linux boxes with sendmail in front of Exchange 2003.
> The sendmail systems use MimeDefang/SpamAssassin/ClamAv to protect
> against spam and viruses. And of course sendmail will validate
> the recipient addresses before accepting a message.
>
> But I don't want to query the exchange server for each address
> that is tried by a spammer or an email address harvesting bot.
> I'm using a shell script to extract valid addresses from the
> Active Directory and build a local table with valid addresses to be
> used by sendmail. That script is launched by cron on a regular basis.
>
> This way I'm lowering the load on the Exchange server and reducing
> the delays and overhead on the sendmail systems to validate recipient
> addresses. But that is not my main argument. I'm in a domain with a
> few hundreds of users and about five spam messages arriving each minute.
> My servers can handle that load easily. But using local tables by
> sendmail allows me to validate addresses, and queue accepted messages,
> even when the Exchange server is down.

Kees;
This is an awesome point, and I'm very appreciative for your post. I
will certainly implement this concept as well.

<snip>
>
> Although this doesn't directly answer your question -I'm certainly
> working in a different environment- I hope that this will give you some
> ideas to attack your problem; its not that different after all.
>
> Regards,
>
> Kees.
>
> --
> Kees Theunissen

Although that doesn't directly apply to my current question,
everything you discuss is exactly what I hit after solving my ldap
problem. It's therefore highly relevant.
I'm most thankful for all of your notes, I find them very well thought
out, and immensely helpful.

TX very much....
Bob

bobg.hahc@gmail.com

2007-12-04, 7:12 pm

JR;

ok - hold onto your hat - you're not going to believe this....

I started messing around with some PERL scripts that people have
posted. Guess what - I got 1 to work!

I STILLLLL can't use ldapsearch, but I CAN use perl.... go figure...

nope - scratch that; as I write this, I was inserting the PERL code,
and screwing around, and I ACTUALLY GOT ldapsearch to work!!!!!

BUT - I'm MORE CONFUSED than EVER!?!?!?!
here's the ldapsearch command that WORKS:
ldapsearch -x -H "ldap://exchange.domain.com:389" \ (I've found
that BOTH -P2 & -P3 work)
-b "" \ - If I PUT ANYTHING in here, ldapsearch fails. perl
WORKS with dc=users,dc=domain,dc=com
-s sub "(cn=*)" cn sn givenname mail

So - if -b is left null, I MUST ASSUME ldapsearch is using /etc/ldap/
ldap.conf to determine to values of base, etc...
and guess what my ldap.conf file looks like!
#ldap.conf in /etc/ldap
BASE dc=domain, dc=com
HOST exchange.domain.com:389
URI ldap://exchange.domain.com:389

it's EXACTLY THE SAME INFORMATION!?!?!?!?!?!?!

could someone possibly explain to me when/why
-b "dc=domain,dc=com" <> BASE
dc=domain,dc=com ????????????????????

this is m$ logic - NOT *nix logic!!! ;-)

TIA - Bob

Johnny Rebel

2007-12-04, 7:12 pm

bobg.hahc@gmail.com wrote:
> JR;
>
> ok - hold onto your hat - you're not going to believe this....

After managing 18 windows boxes, I will believe just about anything at
this point in my career.

>
> I started messing around with some PERL scripts that people have
> posted. Guess what - I got 1 to work!

Cool.

>
> I STILLLLL can't use ldapsearch, but I CAN use perl.... go figure...

Hum. For me it was pretty much the same thing, except the PERL script
separated things into vars'.

>
> nope - scratch that; as I write this, I was inserting the PERL code,
> and screwing around, and I ACTUALLY GOT ldapsearch to work!!!!!

Very cool.

>
> BUT - I'm MORE CONFUSED than EVER!?!?!?!
> here's the ldapsearch command that WORKS:
> ldapsearch -x -H "ldap://exchange.domain.com:389" \ (I've found
> that BOTH -P2 & -P3 work)
> -b "" \ - If I PUT ANYTHING in here, ldapsearch fails. perl
> WORKS with dc=users,dc=domain,dc=com
> -s sub "(cn=*)" cn sn givenname mail

Ok, I haven't used the ldap://.. I just specified the host IP - should
be the same thing I would imagine. Hum. I had OU's in the mix and
couldn't (AFAI-remember) query anything outside of that. The would be
the -b I would figure.

>
> So - if -b is left null, I MUST ASSUME ldapsearch is using /etc/ldap/
> ldap.conf to determine to values of base, etc...
> and guess what my ldap.conf file looks like!
> #ldap.conf in /etc/ldap
> BASE dc=domain, dc=com
> HOST exchange.domain.com:389
> URI ldap://exchange.domain.com:389
>
> it's EXACTLY THE SAME INFORMATION!?!?!?!?!?!?!

Seems the man pages agree with your assumption. Have you tried it with
just the host IP and no port number? I don't imagine it to seem
different from the URI, but it may force NOT using ldap.conf - as a
note, I didn't have an ldap.conf - only had the tools installed. But
yes, I would agree with what you are saying. Maybe try mv'ing the
ldap.conf file out of the way to see if that makes a diffence. Maybe
there is /something/ in there the connection doesn't like.

>
> could someone possibly explain to me when/why
> -b "dc=domain,dc=com" <> BASE
> dc=domain,dc=com ????????????????????

One has quotes.

>
> this is m$ logic - NOT *nix logic!!! ;-)

<coughcough> Did you look at what you are querying?
<twisting_knife_action>.

>
> TIA - Bob

--

Bill will have to take Linux from my cold, dead flippers.

-Tux.

Johnny Rebel

2007-12-04, 7:12 pm

bobg.hahc@gmail.com wrote:
> On Nov 30, 6:40 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
>
> careful what U ask for :-)
> boy, JR, I really appreciate all of your help; I'm gonna owe you a big
> honking drink of something!

No worries, it is how I learn stuff as well!

Oh? A drink? Why, you
are very welcome <insert drink>.

>
>
> I too would normally agree with this philosophy. However, if I submit
> a (from windows browser)
> ldap://exchange.domain.com/??sub?(cn=*) - this works; but
> ldap://exchange.domain.com/???(cn=*) - does not work. So my
> ASSUMPTION is that I need the -s parm.

Hum. I never testing it that way, and never used the -s. I didn't test
it from IE, as, well, I don't G.a.F about IE... I did everything from
Unix/Linux. Maybe there are differences there, can't say for sure.
Windows NG maybe??

>
> <snip>
>
> I've spent extensive amounts of time browsing various information,
> hoping for a lite bulb to go on or off...

Never did for me... seems to be the same for you, at least it makes me
feel better.

> Now, let me ask a dumb question - something you said in your next
> post, causes me to ask (or state):
> I'm not running openldap server on my debian box. I'm not running any
> ldap server on my debian box.
> ldapsearch as a client, should talk to the ldap server on my exchange
> server.... right?

Yes. However, I was only testing against a straight AD server w/o
exchange (MS virus distribution server). I couldn't imagine that
causing an issue and/or differences, but never know with those clowns.

>
>
> sorry - I should have been specific - that is NOT my user name; that's
> display name, or whatever you like to call that. I think my user name
> is available under "mailnickname" or something similiar.

It is similar to mailnickname, but not it. I was using my actual
windows domain logon like 'administrator@domain'. I think we are
straight on this point then.

>
>
> thank g-d for small favors - don't have to tell me twice ;-)

LOL!

>
>
> nope_-_no_spaces_in_user_names_-_I_DESPISE_spaces!
> _I_wouldn't_even_use_them_in_sentences_i
f_I_could_get away with
> it

(upper case also.... I like everything in unix lower-case,
> with no spaces ;o) lol

You are wise my friend.

Our enterprise follows standards, standards
of the 'make up your own standards as you go' variation, and I am a
victim of this.

>
>
> now I do have a checkbox in exchange checked, that says allow anon...
> And - I also tried this from a non-authenticated windows PC on the
> LAN, and it also works apparently anonymously.

Can't say for certain, but sounds like the right thing.

>
>
> I've had problems with exim as well... but i figured that w/o ldap,
> those are secondary...
> If I eliminate exim / ldap, then almost every other problem i've had
> in unix has been resolvable in hours, not days :-)

I hear you on that one...

>
> and I should point out, that I've setup sendmail (so i'm not a
> complete idiot) in the past, and got it working no problems (not w/
> ldap). I'm using exim here because it's supposed to be more secure,
> and LOL - easier to setup.

Someone who got sendmail running *without* problems??? You are either
brilliant, or a victim of chaos theory.

I wouldn't say that to loud.
I am using exim at a client of mine (local accounts only) and found it
fairly straight forward... I did go with a very simple config though.

>
> The exim doc's are very confusing - which is to say, when they make
> reference to something, they don't REALLY explain exactly what that
> something is... I'm left to ASSUME I think I know what it is, because
> it APPEARS obvious. LOL

Of course.

There are a few sections in there that are crap, but I
did find some really good explanations in their docs - had to really
look for them though.

>
> case in point - I'm trying to get exim running without ldap, while I
> work on ldap, and am having trouble getting it to route stuff to
> exchange. I'm not even 100% sure which config file should get my
> custom router script. but enuf of this for now

Isn't it obvious? LOL!

>
>
>
> nothing is as fun as unix! - with the exception of ldap & exim,
> sorting out problems in *nix is usually fun. I won't use "sorting out
> problems" with windows, because IMHO "sorting out problems" refers to
> exceptions.

I agree, but ldap/exim are both fun once you get past the bumps.

> "sorting out problems" with windows is the NORMAL mode of operation,
> and it is almost NEVER fun...
> IOW: windows IS usually the problem. ;) LOL

Yep... don't I know it. <sigh>

>
>
> as always -

Glad for it!

>
>
> AMEN to that brother!!!

LOL! My old one was "Windows, a colourful clown suit for DOS" I got
that off Usenet sometime waaaay back.

I liked it though!

>
> Bob

--

Bill will have to take Linux from my cold, dead flippers.

-Tux.

bobg.hahc@gmail.com

2007-12-05, 1:13 pm

On Dec 4, 6:07 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> bobg.h...@gmail.com wrote:
>
> One has quotes.

>

TX - I needed that! LOL

>
>
>
> <coughcough> Did you look at what you are querying?
> <twisting_knife_action>.

>

ain't it the truth!

(From your other reply):

On Dec 4, 6:29 pm, Johnny Rebel <rebel...@magmaDOTT.ca> wrote:
> bobg.h...@gmail.com wrote:
>
> No worries, it is how I learn stuff as well!

Oh? A drink? Why, you
> are very welcome <insert drink>.

>

I'm ready for a drink too! (or 8)

(maybe this would all make more
sense if I were drinking)

>
> Hum. I never testing it that way, and never used the -s. I didn't test
> it from IE, as, well, I don't G.a.F about IE... I did everything from
> Unix/Linux. Maybe there are differences there, can't say for sure.
> Windows NG maybe??
>

again we are a chorus.... I should mention that when I talk about a
windows browser, there is ONLY 1 - firefox.
BTW - I, personally, believe the "I" is for ignorant.

>
>
> You are wise my friend.

Our enterprise follows standards, standards
> of the 'make up your own standards as you go' variation, and I am a
> victim of this.

>

LOL (but not @ your expense - in sympathy, what else can U do?

>
>
> Someone who got sendmail running *without* problems??? You are either
> brilliant, or a victim of chaos theory.

I wouldn't say that to loud.
> I am using exim at a client of mine (local accounts only) and found it
> fairly straight forward... I did go with a very simple config though.

well - ok - U got me; there weren't "no" problems; but all problems
were resolved in less than 1 day; so that in my mind (with reference
to the windows world) qualifies as "no problems". ;-)

>
> Of course.

There are a few sections in there that are crap, but I
> did find some really good explanations in their docs - had to really
> look for them though.
>

My biggest problem w/ exim is that SO much functionality is reliant on
variables being set this way or that. Then you gotta go figure out
what a certain variable does, AND what additional variables is it
expecting... HUGE PAIN.
Just give me a freaking script in ANY language, and I can figure that
out 500% faster, than trying to reference enigmatic variable codes
that can have names that could indicate conflicting contents.

>
>
>

Isn't it obvious? LOL!
>

well, I THINK, I need to mod the "template" config file, but trying to
find example's of exim router code is like pulling teeth. I guess in a
nutshell, i figured a router that does nothing but check a destination
email address, and ignore all invalid's, and relay good one's to
another server, would be a "standard" router, that countless examples
would be available of.... apparently not so - at least not without 3-4
hours of searching (and counting

....

All of this so I don't have to read about 395 variable combinations in
order to get the 5 I need....

>
>
> I agree, but ldap/exim are both fun once you get past the bumps.

i gotta believe that, or I wouldn't be putting myself thru this
nightmare!

( i would have jumped to sendmail long ago)

>
>
>
>
> LOL! My old one was "Windows, a colourful clown suit for DOS" I got
> that off Usenet sometime waaaay back.

I liked it though!
>

I REALLY like that 1 too!!

TX again for all your help!
Bob