at the end of the day, this is what I want: my debian(etch)/exim
machine to accept all internet Email to
my domain, ignore all else, and relay on to my exchange 5.5 server.
This means I want exim to validate
email recipients thru ldap lookups.
seems like a simple enough task, even one that many people have
probably done. Can I find any examples
of an exim config file that demonstrates this? NO! doc's suck. So I
have no idea if my router config is
even close or not. I don't think I need an acl, but i'm not sure. such
a simple task, you'd think
there'd already be a sample config file out there somewhere....
Having said that, I'm trying to figure out why my ldap lookup's aren't
working, so that leads me down a
nasty diagnostic path.
1) can you do ldap queries using telnet? I seem to connect to my
server fine, but every query I insert,
returns nothing.
2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
any luck at all, and i'm getting
useless error messages.
3) ldap is definitely running on exchange, because an ldap://server/query
entry in a browser, brings up
a dialog box that will successfully search using a custom ldap string,
and it all works.
4) if I can't do a simply query using ldapsearch, how in the ---- am i
ever going to get exim setup
correctly.... what does a valid ldapsearch command look like anyway??
5) if I can't use telnet to try to diagnose what's going on - where
should I start?
TIA - Bob
|
|
0
|
|
|
|
Reply
|
 bobg.hahc (19)
|
11/28/2007 9:43:47 PM |
|
On Wed, 28 Nov 2007 13:43:47 -0800, bobg.hahc wrote:
> at the end of the day, this is what I want: my debian(etch)/exim machine
> to accept all internet Email to
>
> my domain, ignore all else, and relay on to my exchange 5.5 server. This
> means I want exim to validate
>
> email recipients thru ldap lookups.
>
> seems like a simple enough task, even one that many people have probably
> done. Can I find any examples
>
> of an exim config file that demonstrates this? NO! doc's suck. So I have
> no idea if my router config is
>
> even close or not. I don't think I need an acl, but i'm not sure. such a
> simple task, you'd think
>
> there'd already be a sample config file out there somewhere....
>
> Having said that, I'm trying to figure out why my ldap lookup's aren't
> working, so that leads me down a
>
> nasty diagnostic path.
>
> 1) can you do ldap queries using telnet? I seem to connect to my server
> fine, but every query I insert,
>
> returns nothing.
>
> 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
> any luck at all, and i'm getting
>
> useless error messages.
>
> 3) ldap is definitely running on exchange, because an
> ldap://server/query entry in a browser, brings up
>
> a dialog box that will successfully search using a custom ldap string,
> and it all works.
>
> 4) if I can't do a simply query using ldapsearch, how in the ---- am i
> ever going to get exim setup
>
> correctly.... what does a valid ldapsearch command look like anyway??
>
> 5) if I can't use telnet to try to diagnose what's going on - where
> should I start?
>
>
> TIA - Bob
This rather general waffle may help. We offer software that provides user
authentication via either ldap or ad. The code is almost exactly the
same, but there is one core concept that is different. By default, ad
does *not* allow anonymous read access. This means that you'll either a)
have to reconfigure ad - and google will show you how, or b) authenticate
using an user with enough privilege to actually read the data.
hth,
Steve
|
|
|
0
|
|
|
|
Reply
|
 steve3852 (58)
|
11/28/2007 10:23:05 PM
|
|
On Nov 28, 4:23 pm, steve <st...@yobank.com> wrote:
> On Wed, 28 Nov 2007 13:43:47 -0800, bobg.hahc wrote:
> > at the end of the day, this is what I want: my debian(etch)/exim machine
> > to accept all internet Email to
>
> > my domain, ignore all else, and relay on to my exchange 5.5 server. This
> > means I want exim to validate
>
> > email recipients thru ldap lookups.
>
> > seems like a simple enough task, even one that many people have probably
> > done. Can I find any examples
>
> > of an exim config file that demonstrates this? NO! doc's suck. So I have
> > no idea if my router config is
>
> > even close or not. I don't think I need an acl, but i'm not sure. such a
> > simple task, you'd think
>
> > there'd already be a sample config file out there somewhere....
>
> > Having said that, I'm trying to figure out why my ldap lookup's aren't
> > working, so that leads me down a
>
> > nasty diagnostic path.
>
> > 1) can you do ldap queries using telnet? I seem to connect to my server
> > fine, but every query I insert,
>
> > returns nothing.
>
> > 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
> > any luck at all, and i'm getting
>
> > useless error messages.
>
> > 3) ldap is definitely running on exchange, because an
> > ldap://server/query entry in a browser, brings up
>
> > a dialog box that will successfully search using a custom ldap string,
> > and it all works.
>
> > 4) if I can't do a simply query using ldapsearch, how in the ---- am i
> > ever going to get exim setup
>
> > correctly.... what does a valid ldapsearch command look like anyway??
>
> > 5) if I can't use telnet to try to diagnose what's going on - where
> > should I start?
>
> > TIA - Bob
>
> This rather general waffle may help. We offer software that provides user
> authentication via either ldap or ad. The code is almost exactly the
> same, but there is one core concept that is different. By default, ad
> does *not* allow anonymous read access. This means that you'll either a)
> have to reconfigure ad - and google will show you how, or b) authenticate
> using an user with enough privilege to actually read the data.
>
> hth,
>
> Steve
hi Steve;
that does help a little bit...
here's the problem - under the man page for ldapsearch, there IS a -w
parameter which allows for password entry.
there IS NOT ANY parameter that allows for USERNAME entry....
I am completely lost here. I have no idea why someone would provide a
password, with NO ability to provide a username.
Further - my AD IS setup to allow for anonymous access, so a password
should NOT be required... ???
still completely lost....
|
|
|
0
|
|
|
|
Reply
|
bobg.hahc (19)
|
11/28/2007 10:38:53 PM
|
|
On Wed, 28 Nov 2007 14:38:53 -0800, bobg.hahc wrote:
> On Nov 28, 4:23 pm, steve <st...@yobank.com> wrote:
>> On Wed, 28 Nov 2007 13:43:47 -0800, bobg.hahc wrote:
>> > at the end of the day, this is what I want: my debian(etch)/exim
>> > machine to accept all internet Email to
>>
>> > my domain, ignore all else, and relay on to my exchange 5.5 server.
>> > This means I want exim to validate
>>
>> > email recipients thru ldap lookups.
>>
>> > seems like a simple enough task, even one that many people have
>> > probably done. Can I find any examples
>>
>> > of an exim config file that demonstrates this? NO! doc's suck. So I
>> > have no idea if my router config is
>>
>> > even close or not. I don't think I need an acl, but i'm not sure.
>> > such a simple task, you'd think
>>
>> > there'd already be a sample config file out there somewhere....
>>
>> > Having said that, I'm trying to figure out why my ldap lookup's
>> > aren't working, so that leads me down a
>>
>> > nasty diagnostic path.
>>
>> > 1) can you do ldap queries using telnet? I seem to connect to my
>> > server fine, but every query I insert,
>>
>> > returns nothing.
>>
>> > 2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
>> > any luck at all, and i'm getting
>>
>> > useless error messages.
>>
>> > 3) ldap is definitely running on exchange, because an
>> > ldap://server/query entry in a browser, brings up
>>
>> > a dialog box that will successfully search using a custom ldap
>> > string, and it all works.
>>
>> > 4) if I can't do a simply query using ldapsearch, how in the ---- am
>> > i ever going to get exim setup
>>
>> > correctly.... what does a valid ldapsearch command look like anyway??
>>
>> > 5) if I can't use telnet to try to diagnose what's going on - where
>> > should I start?
>>
>> > TIA - Bob
>>
>> This rather general waffle may help. We offer software that provides
>> user authentication via either ldap or ad. The code is almost exactly
>> the same, but there is one core concept that is different. By default,
>> ad does *not* allow anonymous read access. This means that you'll
>> either a) have to reconfigure ad - and google will show you how, or b)
>> authenticate using an user with enough privilege to actually read the
>> data.
>>
>> hth,
>>
>> Steve
>
> hi Steve;
>
> that does help a little bit...
> here's the problem - under the man page for ldapsearch, there IS a -w
> parameter which allows for password entry. there IS NOT ANY parameter
> that allows for USERNAME entry.... I am completely lost here. I have no
> idea why someone would provide a password, with NO ability to provide a
> username.
>
> Further - my AD IS setup to allow for anonymous access, so a password
> should NOT be required... ???
>
> still completely lost....
Your identity is defined by the -D binddn parameter.
|
|
|
0
|
|
|
|
Reply
|
steve3852 (58)
|
11/28/2007 10:58:16 PM
|
|
On Nov 28, 4:58 pm, steve <st...@yobank.com> wrote:
> On Wed, 28 Nov 2007 14:38:53 -0800, bobg.hahc wrote:
> > On Nov 28, 4:23 pm, steve <st...@yobank.com> wrote:
> >> This rather general waffle may help. We offer software that provides
> >> user authentication via either ldap or ad. The code is almost exactly
> >> the same, but there is one core concept that is different. By default,
> >> ad does *not* allow anonymous read access. This means that you'll
> >> either a) have to reconfigure ad - and google will show you how, or b)
> >> authenticate using an user with enough privilege to actually read the
> >> data.
>
> >> hth,
>
> >> Steve
>
> > hi Steve;
>
> > that does help a little bit...
> > here's the problem - under the man page for ldapsearch, there IS a -w
> > parameter which allows for password entry. there IS NOT ANY parameter
> > that allows for USERNAME entry.... I am completely lost here. I have no
> > idea why someone would provide a password, with NO ability to provide a
> > username.
>
> > Further - my AD IS setup to allow for anonymous access, so a password
> > should NOT be required... ???
>
> > still completely lost....
>
> Your identity is defined by the -D binddn parameter.
Steve,
TX;
I'm finally starting to see what's supposed to happen now...
so my ldapsearch command now looks like this:
ldapsearch -h ADserver.domain.com -D "CN=<user
name>,CN=Users,DC=<domain>,DC=<TLD>" -x -W -b
"CN=Users,DC=<domain>,DC=<TLD>"
"(memberOf=CN=Users,DC=<domain>,DC=<TLD>)"
OR - translated into something more real:
ldapsearch -h exchange.domain.com -D
"CN=exim,CN=Users,DC=domain,DC=com" -x -w "password" -b
"CN=Users,DC=domain,DC=com" "(memberOf=CN=Users,DC=domain,DC=com)"
my problem now, is that I get an "invalid credentials" error. I get
this error even if I use my personal admin account / password...
any insight here?
TIA...
Bob
|
|
|
0
|
|
|
|
Reply
|
bobg.hahc (19)
|
11/29/2007 9:19:13 PM
|
|
On Thu, 29 Nov 2007 13:19:13 -0800, bobg.hahc wrote:
> On Nov 28, 4:58 pm, steve <st...@yobank.com> wrote:
>> On Wed, 28 Nov 2007 14:38:53 -0800, bobg.hahc wrote:
>> > On Nov 28, 4:23 pm, steve <st...@yobank.com> wrote:
>> >> This rather general waffle may help. We offer software that provides
>> >> user authentication via either ldap or ad. The code is almost
>> >> exactly the same, but there is one core concept that is different.
>> >> By default, ad does *not* allow anonymous read access. This means
>> >> that you'll either a) have to reconfigure ad - and google will show
>> >> you how, or b) authenticate using an user with enough privilege to
>> >> actually read the data.
>>
>> >> hth,
>>
>> >> Steve
>>
>> > hi Steve;
>>
>> > that does help a little bit...
>> > here's the problem - under the man page for ldapsearch, there IS a -w
>> > parameter which allows for password entry. there IS NOT ANY parameter
>> > that allows for USERNAME entry.... I am completely lost here. I have
>> > no idea why someone would provide a password, with NO ability to
>> > provide a username.
>>
>> > Further - my AD IS setup to allow for anonymous access, so a password
>> > should NOT be required... ???
>>
>> > still completely lost....
>>
>> Your identity is defined by the -D binddn parameter.
>
> Steve,
>
> TX;
> I'm finally starting to see what's supposed to happen now... so my
> ldapsearch command now looks like this: ldapsearch -h
> ADserver.domain.com -D "CN=<user name>,CN=Users,DC=<domain>,DC=<TLD>" -x
> -W -b "CN=Users,DC=<domain>,DC=<TLD>"
> "(memberOf=CN=Users,DC=<domain>,DC=<TLD>)"
>
> OR - translated into something more real: ldapsearch -h
> exchange.domain.com -D
> "CN=exim,CN=Users,DC=domain,DC=com" -x -w "password" -b
> "CN=Users,DC=domain,DC=com" "(memberOf=CN=Users,DC=domain,DC=com)"
>
> my problem now, is that I get an "invalid credentials" error. I get this
> error even if I use my personal admin account / password...
>
> any insight here?
>
> TIA...
> Bob
It may be a permissions problem. I tried locally, using administrator
access, and this worked fine...
ldapsearch -LLL -h 10.0.0.208 -D
"cn=Administrator,cn=Users,dc=MyDomain,dc=local" -x -w password -b
"cn=Users,dc=MyDomain,dc=local"
Steve
|
|
|
0
|
|
|
|
Reply
|
steve3852 (58)
|
11/30/2007 8:30:12 PM
|
|
On Nov 30, 2:30 pm, steve <st...@yobank.com> wrote:
> It may be a permissions problem. I tried locally, using administrator
> access, and this worked fine...
>
> ldapsearch -LLL -h 10.0.0.208 -D
> "cn=Administrator,cn=Users,dc=MyDomain,dc=local" -x -w password -b
> "cn=Users,dc=MyDomain,dc=local"
>
> Steve
Well, Steve,
you're not going to believe this...
I STILL have a credential problem when I use the administrator account
- I have no idea why this is.
BUT - if I ldapsearch anonymously, I CAN connect!
Problem is now all I can get from ldapsearch is a protocol error 2.
more thoughts? :)
TIA(again)
Bob
|
|
|
0
|
|
|
|
Reply
|
bobg.hahc (19)
|
11/30/2007 9:55:41 PM
|
|
OK scratch all common logic & reason...
I got ldapsearch to work.
ldapsearch -x -H "ldap://exchange.domain.com:389" -b "" -s sub
"(cn=*)"
^^^^^ this WORKS!
ldapsearch -x -H "ldap://exchange.domain.com:389" -b
"dc=domain,dc=com" -s sub "(cn=*)"
----------------------------------------------------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^ this DOES NOT WORK !?!?!??!!?
does anyone have a clue?
my ldap.conf file contains BASE dc=domain,dc=com
why the ---- does the SAME base work when not explicitly specified????
|
|
|
0
|
|
|
|
Reply
|
bobg.hahc (19)
|
12/4/2007 11:35:02 PM
|
|
|
7 Replies
18 Views
(page loaded in 0.114 seconds)
Similiar Articles: how do i list all user accounts that have expired? - comp.unix ...... expiry number in /etc/shadow and convert it ... your talking about local accts and not ldap ... How to get a listing of expired Active Directory user accounts ?, Windows Server ... Expired Accounts - comp.unix.solaris... and convert it to ... I get almost everything working, but I can't figure out how to expire an account! Solaris' pam_ldap tries to bind to the LDAP server, and if ... os.linux ... Active directory password expiration - extend - comp.os.ms-windows ...How to login to Oracle using Active Directory Account - comp ... Solaris LDAP Client ... ... How to get a listing of expired Active Directory user ... date in active directory Talk ... NT authentication with Java - comp.lang.java.securityYou will have to figure out how to do it in C++ and glue it ... Integra libs to connect to microsoft exchange / active directory ... Using JAAS with LDAP - comp.lang.java ... How to lock on Solaris 10? - comp.unix.solariscommand line - How to lock on Solaris 10? - Unix and Linux On ... Does anyone know how to lock an ldap ... how to lock file in solaris ? - Experts Exchange - Your Technology ... firewall ports - comp.dcom.sys.ciscoIn -theory-, going for Exchange 2003 and LDAP solves those problems. ... wget - which port number(s)? - comp.os.linux.misc ... Describes how to manually open ports in Internet ... single threaded vs. multi threaded - comp.unix.solaris... themselves to be multi threaded? 3. How to convert a ... Get a book about mulitthreading and read the introduction. ... based on programming logic, but if you talk ... NTP - best practice if there is a local stratum 2 server - comp ...Talk to Symmetricomm and/or Meinberg ... Experts Exchange' take questions posted on the web and try to ... any setting in LDAP server that ... Linux Home Server HOWTO ... Process Impersonation - comp.unix.programmerI am doing some investigation on how to implement ... You speak of multiple target uids, which would tend ... It does, however, require more code and more care to get right. NIS client Query - comp.sys.sun.adminHow to disable NIS in Linux - comp.os.linux.setup A is set up ... Solaris 10 as M$ Active Directory client, LDAP question ... ... from these symptoms, you should convert ... LDAP Implementation HOWTOWith Ldap this can be done on a Linux system, without the need for Microsoft Exchange ... which will talk ... about how to compile in the ldap support. Both the old and the ... How-To set up a LDAP server and its clients | Debian/Ubuntu Tips ...In the first part, I will explain how-to install, configure the LDAP server, add a few users and group, in the second part, we will set up Linux client to authenticate ... 7/2/2012 3:18:31 AM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
18 followers. 