Hi guys,
I'm hoping someone here can help me stop tearing my hair out trying to
authenticate against an Active Directory Server with authldap!
I was originally trying to build an Ubuntu Hardy mailserver,
authenticating and getting user details from AD. This seemed to be
working, but was intermittent.
When I installed the ldap-auth-config package, which is a meta package
pulling in the pam and nss ldap elements and helps me configure them, it
seemed to stop being intermittent. Didn't fully understand this, but...
Due to a policy change, we decided here to deploy against Ubuntu/Jaunty,
so I've built a new test/dev server exactly the same, and found I cannot
get it to auth. Trying the old server, I find it _is_ still
intermittent, not fixed - just a bit better. Odd.
The Jaunty package authldap is 0.61.0-1+lenny and the Hardy version is
0.60.1-1ubuntu
What I have worked out today is it is to do with the search base: I
have many OUs in my AD, and if I set it to EXACTLY the right search base
('OU=Users,OU=Horsham Group,DC=willsandco,DC=com') then I get one result
back and all is well with the world - on BOTH old and new versions.
If I set the searchbase to 'DC=willsandco,DC=com', authldap fails
outright on new one and becomes intermittent on the old.
Doing each search using ldapsearch gives me a small clue: I can use
either base and get a response, BUT the wider search base tells me there
were actually 5 responses:
ldapsearch -x -D cn=Administrator,cn=Users,dc=willsandco,dc=com -W
'(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))'
# extended LDIF
#
# LDAPv3
# base <dc=willsandco,dc=com> (default) with scope subtree
# filter:
(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))
# requesting: ALL
#
# Oli Comber, Users, Horsham Group, willsandco.com
dn: CN=Oli Comber,OU=Users,OU=Horsham Group,DC=willsandco,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Oli Comber
sn: Comber
description: IT
givenName: Oli
distinguishedName: CN=Oli Comber,OU=Users,OU=Horsham
Group,DC=willsandco,DC=co
m
instanceType: 4
whenCreated: 20081202141439.0Z
whenChanged: 20091012105255.0Z
displayName: Oli Comber
uSNCreated: 892005
memberOf: CN=IT,OU=UserGroups,DC=willsandco,DC=com
uSNChanged: 2370039
name: Oli Comber
objectGUID:: jYZhd0Ajek2fK69c2iYwTA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\pluto\HomeDirs\ocomber
homeDrive: Z:
badPasswordTime: 128994631088125000
lastLogoff: 0
lastLogon: 128994631117968750
pwdLastSet: 128993081843125000
primaryGroupID: 513
profilePath: \\venus\Profiles$\ocomber
objectSid:: AQUAAAAAAAUVAAAA9cRKrEAQsk8VFDDuWAgAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: ocomber
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=willsandco,DC=com
dSCorePropagationData: 20090421140127.0Z
dSCorePropagationData: 20090421140127.0Z
dSCorePropagationData: 20090421140127.0Z
dSCorePropagationData: 20090421135004.0Z
dSCorePropagationData: 16010108151056.0Z
lastLogonTimestamp: 128998183757656250
mail: [email protected]
# search reference
ref:
ldap://DomainDnsZones.willsandco.com/DC=DomainDnsZones,DC=willsandco,DC=c
om
# search reference
ref:
ldap://ForestDnsZones.willsandco.com/DC=ForestDnsZones,DC=willsandco,DC=c
om
# search reference
ref: ldap://willsandco.com/CN=Configuration,DC=willsandco,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
So I suspect my search is returning multiple results, where results are
all smoke and mirrors coming from different parts of the tree, hence the
"references". This is held up by the result of the search with a more
restrictive base:
ldapsearch -x -D cn=Administrator,cn=Users,dc=willsandco,dc=com -W
'(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))'
-b "OU=Users,OU=Horsham Group,dc=willsandco,dc=com"
The last bit reads:
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
- Only 2 numResponses and no Search References.
The Active Directory Server has been set up here with an OU per site,
with users under each OU. I believe this was for Group Policy reasons
(but I suspect this may be unnecessary and could be achieved a different
way)
Can anyone help me set up authldap to search multiple OUs and return a
single result? Assuming the package I'm using is a few months out of
date, is there anything in the latest release or CVS version for either
using multiple bases or limiting search results(/using first search result)?
Thanks very much in advance for any help or advice!!
Cheers,
-Oli
--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team
4-10 Barttelot Rd Horsham West Sussex RH12 1DQ
M: +44 (0)77255 82405 T: +44 (0)870 881 5097 F: +44 (0)870 116 0793
3aIT Limited is a company registered in England and Wales.
CoReg: 3866698 VATReg: 771388600
Visit www.3aIT.co.uk for Design, Systems, Support
Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
