LDAP - howto get linux to talk to exchange/AD
Clarence, I'm most appreciative for your post. although your perl script doesn't work for me as is... I was able to use it to make one that DOES work. what REALLY confuses me now, is that my perl script WILL access ldap, and produce results - but when I try the same thing using ldapsearch from bash, NO Go ! to be honest, at this point, if it works in perl, I don't care that it doesn't from bash... now I need to get exim working! TX again!!
LDAP - howto get linux to talk to exchange/AD
CR - TX for your reply, your script data was very useful. I've made some progress... I still don't know why I can't authenticate using my admin account / password (and NOTHING I do seems to resolve this). BUT - with my improved understanding of the structure of the ldapsearch command (TX SK); and a re-newed attempt to access the ldap server anonymously (CR ;_); it appears that I can now connect to my exchange server. now, my problem is I still can't run any queries, I only get: # search result search: 2 result: 2 Protocol error After much googling on ldap protocol error 2, I'm again stuck. I found hits that referenced a -C option to ldapsearch; which doesn't seem to apply anymore, since I find no doc's on -C in the manpage. I found another hit that might indicate that ldap V3 and exchange 5.5 might produce a protocol error, but I've started using -P2 anyway, with no different response. although this error is returned from the exchange server, the problem has GOT to be with ldapsearch / debian. I CAN do sucessful queries from windows environment. anyone got more ideas? TIA! (again) - Bob
Re: LDAP - howto get linux to talk to exchange/AD
On Fri, 30 Nov 2007 05:10:07 +0100, Bob Goldberg wrote: I agree - problem is DEFINITELY ldap authentication; forget about exim my exchange server is setup to accept clear text, and anonymous OK (even though I'm not trying to be anon). here's the thing - I have no idea what is going on between ldapsearch, and my exchange server. ldap is definitely running - I can run custom queries, and ldap://queries thru my windows browser with success. the problem IS debian authenticating w/ the exchange server. You need to authenticate to the LDAP tree using a username that exists in Active Directory, I can't remember how but I did this a few years ago for a squid proxy. Can someone tell me some way to diagnose just what is happening in this communication between ldapsearch ldap server ??? Wireshark or any packet sniffer should be able to show what's being transferred, it may also be worth installing the openldap client utilities (ldap-utils under debian) and querying the database manually from them. Or can someone point me / show me how a structured communication to the ldap server would look like, so I can try sending it thru telnet - just to see if I can get it to work that way Then I can try figure out what ldapsearch is sending... http://www.mozilla.org/directory/standards.html may be useful but LDAP isn't the easiest of protocols to grok manually. -- Stephen Patterson :: [EMAIL PROTECTED] :: http://patter.mine.nu/ GPG: B416F0DE :: Jabber: [EMAIL PROTECTED] Don't be silly, Minnie. Who'd be walking round these cliffs with a gas oven? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LDAP - howto get linux to talk to exchange/AD
On 29 Nov 2007 at 21:46, Bob Goldberg wrote:
OK;
I agree - problem is DEFINITELY ldap authentication; forget about
exim
my exchange server is setup to accept clear text, and anonymous OK (even
though I'm not trying to be anon).
here's the thing - I have no idea what is going on between ldapsearch,
and my exchange server.
I've tried netcat'g the host:389 to see if I could evesdrop, but to no
avail.
I've tried telnet'g to the host:389, and DO connect, but have no idea
what the communication should look like, and I get no responses at all
regardless of what I try.
ldap is definitely running - I can run custom queries, and
ldap://queries thru my windows browser with success.
the problem IS debian authenticating w/ the exchange server.
Can someone tell me some way to diagnose just what is happening in this
communication between ldapsearch ldap server ???
Or can someone point me / show me how a structured communication to
the ldap server would look like, so I can try sending it thru telnet -
just to see if I can get it to work that way Then I can try figure
out what ldapsearch is sending...
TIA - Bob
Bob,
I have not done this with AD; however, I have done it with Novell's eDir on a
Netware Box. After confirming what attributes where visiable with an LDAP
Browser on my windows workstation (http://www-unix.mcs.anl.gov/~gawor/ldap/),
I wrote a perl script to verify/test e-mail address verification on the eDir.
** Perl Snippit **
# Open Connection to the LDAP server
print Opening a connection to $ldhost ... ;
$ldap = Net::LDAP-new($ldhost) || die Could not connect -- $@;
print OK\n;
#
print Binding ... ;
# Do an anonymous bind
$mesg = $ldap-bind;
$status = $mesg-code;
$errmsg = $mesg-error;
print Status: ($status) $errmsg ;
#
# Do a search for each e-mail address
foreach $addr (@eaddrs) {
print Looking for $addr ... ;
$filter = (\(objectclass=inetOrgPerson) (mail=.$addr.));
$mesg = $ldap-search(base=$ogunit, filter=$filter, attrs=@attribs );
$status = $mesg-code; $errmsg = $mesg-error; print Status: ($status)
$errmsg ; $ecnt = $mesg-count; print found $ecnt entries\n; if(
$ecnt 0 ) {# Found email address in directory
foreach $entry ($mesg-entries) {
$dn = $entry-dn;
$spam = $entry-get_value('SpamControl');
print \t$dn \tSpamControl: $spam ;
@email = $entry-get_value('mail');
$flag=0;
foreach $alias (@email) {
if( $flag ) { print \n\t Alias: $alias; }
else {
print \n\tAddress: $alias;
$flag=1;
}
}
}
}
else { print failed. Does not exist in the directory\n\n; }
}
End of Perl Snippit ***
Once, I was able to verify email addresses with the perl; I adjusted Exim4's
configuration like so ... (You need to have the heavy exim4 package)
CWR Attempt at LDAP E-Mail Address verification
accept any group or mail list address which are not in the
eDirectory
accept
domains = kimberly.uidaho.edu
recipients = lsearch;CONFDIR/acceptable.lst
check for individual e-mail addresses which are in the eDirectory
deny
domains = kimberly.uidaho.edu
message = Administrative prohibition - unable to validate recipient
condition = ${lookup ldapm{ \
ldap://###.###.###.###/o=ui?mail?sub?\
(mail=${quote_ldap:[EMAIL PROTECTED])} {0} {1} }
CWR Attempt at LDAP -- discard
The key for me, was using the perl script and ldap browser to verify what
attributes where visiable when doing an anonymous bind to ldap _and_ how to
code the request.
I how this helps a bit. My setup is a Novell Netware server hidden from the
outside world and a Debian ETCH server visable to the outside world running
exim.
-- cheers Clarence --
Clarence W. Robison, P.E.
[EMAIL PROTECTED]
208-423-6610
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LDAP - howto get linux to talk to exchange/AD
at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange 5.5 server. This means I want exim to validate email recipients thru ldap lookups. seems like a simple enough task, even one that many people have probably done. Can I find any examples of an exim config file that demonstrates this? NO! doc's suck. So I have no idea if my router config is even close or not. I don't think I need an acl, but i'm not sure. such a simple task, you'd think there'd already be a sample config file out there somewhere Having said that, I'm trying to figure out why my ldap lookup's aren't working, so that leads me down a nasty diagnostic path. 1) can you do ldap queries using telnet? I seem to connect to my server fine, but every query I insert, returns nothing. 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having any luck at all, and i'm getting invalid credential error messages. 3) ldap is definitely running on exchange, because an ldap://server/query entry in a browser, brings up a dialog box that will successfully search using a custom ldap string, and it all works. 4) if I can't use telnet to try to diagnose what's going on - where should I start? TIA - Bob
LDAP - howto get linux to talk to exchange/AD
Apologies for any duplicate posts I'm reading this thread on google (groups), and I apparently can't reply/post from there reply to s.: hi s. yes, I have...(google searches) but none of my searches has revealed any information that actually works. All I can get out of exim is Unrouteable address. no matter what I've tried. The ppt presentation you referred to looked like it had potential, but not 1 single LDAP query in that ppt seemed to work correctly on my windows browser. I figured if the information in there, which DID look fairly straightforward, doesn't work right, then how can I trust anything that follows.? I certainly accept the notion that the problem is ME. But I can't seem to find a place to start diagnosing what I'm doing wrong... I can't seem to get even the simplest of things to work correctly when it comes to using exim w/ ldap. I consider myself expert, when it comes to most things *nix. But working with ldap has been the most frustrating experience i've had in a long time. The closest thing to ANY success i've had is with ldapsearch as follows: ldapsearch -h exchange.domain.com -D CN=exim,CN=Users,DC=domain,DC=com -x -w password -b CN=Users,DC=domain,DC=com (memberOf=CN=Users,DC=domain,DC=com) this command at least seems to communicate w/ the exchange server, and tells me invalid credentials. I can only ASSUME that means a problem w/ the user/password, but I KNOW that info IS valid. I don't have a clue how to start figuring out what's wrong with credentials I KNOW are good. is debian REALLY talking to my exchange server? have no clue... it would help if I could telnet to my exchange server submit a query see it work... but no one can even tell me IF this can be done!?!?
Re: LDAP - howto get linux to talk to exchange/AD
On Nov 28, 8:40 pm, s. keeling [EMAIL PROTECTED] wrote: Bob Goldberg [EMAIL PROTECTED]: at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange5.5 server. This means I want exim to validate email recipients thruldaplookups. Have you googled eximldap? You appear to be reinventing the wheel. :-) The first hit I see is a ppt, Using Exim WithLDAP. And I see FreeBSD has exim-ldap... hi s. yes, I have... but none of my searches has revealed any information that actually works. All I can get out of exim is Unrouteable address. no matter what I've tried. The ppt presentation you referred to looked like it had potential, but not 1 single LDAP query in that ppt seemed to work correctly on my windows browser. I figured if the information in there, which DID look fairly straightforward, doesn't work right, then how can I trust anything that follows.? I certainly accept the notion that the problem is ME. But I can't seem to find a place to start diagnosing what I'm doing wrong... I can't seem to get even the simplest of things to work correctly when it comes to using exim w/ ldap. I consider myself expert, when it comes to most things *nix. But working with ldap has been the most frustrating experience i've had in a long time. The closest thing to ANY success i've had is with ldapsearch as follows: ldapsearch -h exchange.domain.com -D CN=exim,CN=Users,DC=domain,DC=com -x -w password -b CN=Users,DC=domain,DC=com (memberOf=CN=Users,DC=domain,DC=com) this command at least seems to communicate w/ the exchange server, and tells me invalid credentials. I can only ASSUME that means a problem w/ the user/password, but I KNOW that info IS valid. I don't have a clue how to start figuring out what's wrong with credentials I KNOW are good. is debian REALLY talking to my exchange server? have no clue... it would help if I could telnet to my exchange server submit a query see it work... but no one can even tell me if this can be done!?!? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LDAP - howto get linux to talk to exchange/AD
[EMAIL PROTECTED] [EMAIL PROTECTED]: On Nov 28, 8:40 pm, s. keeling [EMAIL PROTECTED] wrote: Bob Goldberg [EMAIL PROTECTED]: at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange5.5 server. This means I want exim to validate email recipients thruldaplookups. Have you googled exim ldap? You appear to be reinventing the [snip] The closest thing to ANY success i've had is with ldapsearch as follows: ldapsearch -h exchange.domain.com -D CN=exim,CN=Users,DC=domain,DC=com -x -w password -b CN=Users,DC=domain,DC=com (memberOf=CN=Users,DC=domain,DC=com) this command at least seems to communicate w/ the exchange server, and tells me invalid credentials. I can only ASSUME that means a problem w/ the user/password, but I KNOW that info IS valid. Then it's a problem communicating those credentials. One's using md5 hashes and the other's expecting crypt/PAM/Kerberos?!?/... I don't have a clue how to start figuring out what's wrong with credentials I KNOW are good. Then it's not the credentials, it's how they're being communicated from one process to the other. I'd ignore exim on this for now. I'd say your problem's ldap. Sort it out and exim should fall into line. Yes, ldap can be bloody frustrating depending on the existing LAN software. is debian REALLY talking to my exchange server? have no clue... it would help if I could telnet to my exchange server submit a query see it work... but no one can even tell me if this can be done!?!? What? Is the server accepting telnet connections? I don't do Windows, but surely it has some sort of telnetd/sshd by now? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LDAP - howto get linux to talk to exchange/AD
OK; I agree - problem is DEFINITELY ldap authentication; forget about exim my exchange server is setup to accept clear text, and anonymous OK (even though I'm not trying to be anon). here's the thing - I have no idea what is going on between ldapsearch, and my exchange server. I've tried netcat'g the host:389 to see if I could evesdrop, but to no avail. I've tried telnet'g to the host:389, and DO connect, but have no idea what the communication should look like, and I get no responses at all regardless of what I try. ldap is definitely running - I can run custom queries, and ldap://queries thru my windows browser with success. the problem IS debian authenticating w/ the exchange server. Can someone tell me some way to diagnose just what is happening in this communication between ldapsearch ldap server ??? Or can someone point me / show me how a structured communication to the ldap server would look like, so I can try sending it thru telnet - just to see if I can get it to work that way Then I can try figure out what ldapsearch is sending... TIA - Bob
LDAP - howto get linux to talk to exchange/AD
at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange 5.5 server. This means I want exim to validate email recipients thru ldap lookups. seems like a simple enough task, even one that many people have probably done. Can I find any examples of an exim config file that demonstrates this? NO! doc's suck. So I have no idea if my router config is even close or not. I don't think I need an acl, but i'm not sure. such a simple task, you'd think there'd already be a sample config file out there somewhere Having said that, I'm trying to figure out why my ldap lookup's aren't working, so that leads me down a nasty diagnostic path. 1) can you do ldap queries using telnet? I seem to connect to my server fine, but every query I insert, returns nothing. 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having any luck at all, and i'm getting useless error messages. 3) ldap is definitely running on exchange, because an ldap://server/query entry in a browser, brings up a dialog box that will successfully search using a custom ldap string, and it all works. 4) if I can't do a simply query using ldapsearch, how in the am i ever going to get exim setup correctly what does a valid ldapsearch command look like anyway?? 5) if I can't use telnet to try to diagnose what's going on - where should I start? TIA - Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LDAP - howto get linux to talk to exchange/AD
at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange 5.5 server. This means I want exim to validate email recipients thru ldap lookups. seems like a simple enough task, even one that many people have probably done. Can I find any examples of an exim config file that demonstrates this? NO! doc's suck. So I have no idea if my router config is even close or not. I don't think I need an acl, but i'm not sure. such a simple task, you'd think there'd already be a sample config file out there somewhere Having said that, I'm trying to figure out why my ldap lookup's aren't working, so that leads me down a nasty diagnostic path. 1) can you do ldap queries using telnet? I seem to connect to my server fine, but every query I insert, returns nothing. 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having any luck at all, and i'm getting useless error messages. 3) ldap is definitely running on exchange, because an ldap://server/query entry in a browser, brings up a dialog box that will successfully search using a custom ldap string, and it all works. 4) if I can't do a simply query using ldapsearch, how in the am i ever going to get exim setup correctly what does a valid ldapsearch command look like anyway?? 5) if I can't use telnet to try to diagnose what's going on - where should I start? TIA - Bob
Re: LDAP - howto get linux to talk to exchange/AD
Bob Goldberg [EMAIL PROTECTED]: at the end of the day, this is what I want: my debian(etch)/exim machine to accept all internet Email to my domain, ignore all else, and relay on to my exchange 5.5 server. This means I want exim to validate email recipients thru ldap lookups. Have you googled exim ldap? You appear to be reinventing the wheel. :-) The first hit I see is a ppt, Using Exim With LDAP. And I see FreeBSD has exim-ldap ... -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
samba ldap howto
Looking for a fairly current debian samba ldap pdc howto.. The ones I find for sarge and/or etch all say at the top. This document is not yet finished.. :) -- This message has been scanned for viruses and dangerous content by RCRnet, and is believed to be clean. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba ldap howto
Hi. http://www.pictux.org/forum/viewtopic.php?t=5 (yes, it's in italian; you can try reading it using babel fish translation: http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=it_enurl=http%3A%2F%2Fwww.pictux.org%2Fforum%2Fviewtopic.php%3Ft%3D5 ) I wrote down this guide reading/copying other guides (all reported on links at bottom of post). It's for Sarge, but I try to follow the steps there reported for a fresh etch, and all works. Hope it helps you!
Re: LDAP howto?
Hi.}} Pointers to good LDAP-howto for server coniguration details.You can also look at:http://www.pictux.org/forum/viewtopic.php?t=5 that is a little useful guide.It's in italian, but with http://babelfish.altavista.com/ you can translate it in English.Hope it helps you!Bye
Re: LDAP howto?
On Tuesday 03 October 2006 17:28, Ishwar Rattan wrote: Pointers to good LDAP-howto for server coniguration details. -ishwar This is where I started: http://people.debian.org/~torsten/ldapnss.html John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LDAP howto?
Pointers to good LDAP-howto for server coniguration details. -ishwar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LDAP howto?
On Tue, 2006-10-03 at 19:28 -0400, Ishwar Rattan wrote: Pointers to good LDAP-howto for server coniguration details. I guess this [1] is a good starting point, and it wouldnt hurt googling for 'debian ldap' either. [1] http://wiki.debian.org/LDAP With regards, Morten O. Hansen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
