Re: LDAP - howto get linux to talk to exchange/AD
On 29 Nov 2007 at 21:46, Bob Goldberg wrote:
>
> OK;
>
> I agree - problem is DEFINITELY ldap authentication; forget about
> exim....
>
> my exchange server is setup to accept clear text, and anonymous OK (even
> though I'm not trying to be anon).
>
> here's the thing - I have no idea what is going on between ldapsearch,
> and my exchange server.
>
> I've tried netcat'g the host:389 to see if I could evesdrop, but to no
> avail.
> I've tried telnet'g to the host:389, and DO connect, but have no idea
> what the communication should look like, and I get no responses at all
> regardless of what I try.
>
> ldap is definitely running - I can run custom queries, and
> ldap://queries thru my windows browser with success.
>
> the problem IS debian authenticating w/ the exchange server.
>
> Can someone tell me some way to diagnose just what is happening in this
> communication between ldapsearch & ldap server ???
> Or can someone point me / show me how a structured communication to
> the ldap server would look like, so I can try sending it thru telnet -
> just to see if I can get it to work that way.... Then I can try & figure
> out what ldapsearch is sending...
>
> ????
>
> TIA - Bob
>
>
Bob,
I have not done this with AD; however, I have done it with Novell's eDir on a
Netware Box. After confirming what attributes where visiable with an LDAP
Browser on my windows workstation (http://www-unix.mcs.anl.gov/~gawor/ldap/),
I wrote a perl script to verify/test e-mail address verification on the eDir.
****** Perl Snippit **************
# Open Connection to the LDAP server
print "Opening a connection to $ldhost ... ";
$ldap = Net::LDAP->new($ldhost) || die "Could not connect -- $@";
print "OK\n";
#
print "Binding ... ";
# Do an anonymous bind
$mesg = $ldap->bind;
$status = $mesg->code;
$errmsg = $mesg->error;
print "Status: ($status) $errmsg ";
#
# Do a search for each e-mail address
foreach $addr (@eaddrs) {
print "Looking for $addr ... ";
$filter = "(\&(objectclass=inetOrgPerson) (mail=".$addr."))";
$mesg = $ldap->search(base=>$ogunit, filter=>$filter, attrs=>@attribs );
$status = $mesg->code; $errmsg = $mesg->error; print "Status: ($status)
$errmsg "; $ecnt = $mesg->count; print "found $ecnt entries\n"; if(
$ecnt > 0 ) { # Found email address in directory
foreach $entry ($mesg->entries) {
$dn = $entry->dn;
$spam = $entry->get_value('SpamControl');
print "\t$dn \tSpamControl: $spam ";
@email = $entry->get_value('mail');
$flag=0;
foreach $alias (@email) {
if( $flag ) { print "\n\t Alias: $alias"; }
else {
print "\n\tAddress: $alias";
$flag=1;
}
}
}
}
else { print "failed. Does not exist in the directory\n\n"; }
}
******** End of Perl Snippit ***************
Once, I was able to verify email addresses with the perl; I adjusted Exim4's
configuration like so ... (You need to have the "heavy" exim4 package)
#### CWR Attempt at LDAP E-Mail Address verification
#### accept any "group" or "mail list" address which are not in the
#### eDirectory
accept
domains = kimberly.uidaho.edu
recipients = lsearch;CONFDIR/acceptable.lst
#### check for individual e-mail addresses which are in the eDirectory
deny
domains = kimberly.uidaho.edu
message = Administrative prohibition - unable to validate recipient
condition = ${lookup ldapm{ \
ldap://###.###.###.###/o=ui?mail?sub?\
(mail=${quote_ldap:$local_part@$domain})} {0} {1} }
####
#### CWR Attempt at LDAP -- discard
The key for me, was using the perl script and ldap browser to verify what
attributes where visiable when doing an anonymous bind to ldap _and_ how to
code the request.
I how this helps a bit. My setup is a Novell Netware server hidden from the
outside world and a Debian ETCH server visable to the outside world running
exim.
-- cheers Clarence --
Clarence W. Robison, P.E.
robison@kimberly.uidaho.edu
208-423-6610
Reply to: