|Subject:||[courier-users] authldap active directory with multiple OUs|
|Date:||Oct 13, 2009 5:27:31 am|
I'm hoping someone here can help me stop tearing my hair out trying to authenticate against an Active Directory Server with authldap!
I was originally trying to build an Ubuntu Hardy mailserver, authenticating and getting user details from AD. This seemed to be working, but was intermittent.
When I installed the ldap-auth-config package, which is a meta package pulling in the pam and nss ldap elements and helps me configure them, it seemed to stop being intermittent. Didn't fully understand this, but...
Due to a policy change, we decided here to deploy against Ubuntu/Jaunty, so I've built a new test/dev server exactly the same, and found I cannot get it to auth. Trying the old server, I find it _is_ still intermittent, not fixed - just a bit better. Odd.
The Jaunty package authldap is 0.61.0-1+lenny and the Hardy version is 0.60.1-1ubuntu
What I have worked out today is it is to do with the search base: I have many OUs in my AD, and if I set it to EXACTLY the right search base ('OU=Users,OU=Horsham Group,DC=willsandco,DC=com') then I get one result back and all is well with the world - on BOTH old and new versions.
If I set the searchbase to 'DC=willsandco,DC=com', authldap fails outright on new one and becomes intermittent on the old.
Doing each search using ldapsearch gives me a small clue: I can use either base and get a response, BUT the wider search base tells me there were actually 5 responses:
ldapsearch -x -D cn=Administrator,cn=Users,dc=willsandco,dc=com -W '(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))'
# extended LDIF # # LDAPv3 # base <dc=willsandco,dc=com> (default) with scope subtree # filter: (&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber)) # requesting: ALL #
# Oli Comber, Users, Horsham Group, willsandco.com dn: CN=Oli Comber,OU=Users,OU=Horsham Group,DC=willsandco,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Oli Comber sn: Comber description: IT givenName: Oli distinguishedName: CN=Oli Comber,OU=Users,OU=Horsham Group,DC=willsandco,DC=co m instanceType: 4 whenCreated: 20081202141439.0Z whenChanged: 20091012105255.0Z displayName: Oli Comber uSNCreated: 892005 memberOf: CN=IT,OU=UserGroups,DC=willsandco,DC=com uSNChanged: 2370039 name: Oli Comber objectGUID:: jYZhd0Ajek2fK69c2iYwTA== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: \\pluto\HomeDirs\ocomber homeDrive: Z: badPasswordTime: 128994631088125000 lastLogoff: 0 lastLogon: 128994631117968750 pwdLastSet: 128993081843125000 primaryGroupID: 513 profilePath: \\venus\Profiles$\ocomber objectSid:: AQUAAAAAAAUVAAAA9cRKrEAQsk8VFDDuWAgAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 3 sAMAccountName: ocomber sAMAccountType: 805306368 userPrincipalName: ocom...@willsandco.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=willsandco,DC=com dSCorePropagationData: 20090421140127.0Z dSCorePropagationData: 20090421140127.0Z dSCorePropagationData: 20090421140127.0Z dSCorePropagationData: 20090421135004.0Z dSCorePropagationData: 16010108151056.0Z lastLogonTimestamp: 128998183757656250 mail: ol...@3ait.co.uk
# search reference ref: ldap://DomainDnsZones.willsandco.com/DC=DomainDnsZones,DC=willsandco,DC=c om
# search reference ref: ldap://ForestDnsZones.willsandco.com/DC=ForestDnsZones,DC=willsandco,DC=c om
# search reference ref: ldap://willsandco.com/CN=Configuration,DC=willsandco,DC=com
# search result search: 2 result: 0 Success
# numResponses: 5 # numEntries: 1 # numReferences: 3
So I suspect my search is returning multiple results, where results are all smoke and mirrors coming from different parts of the tree, hence the "references". This is held up by the result of the search with a more restrictive base:
ldapsearch -x -D cn=Administrator,cn=Users,dc=willsandco,dc=com -W '(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))' -b "OU=Users,OU=Horsham Group,dc=willsandco,dc=com"
The last bit reads: # search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
- Only 2 numResponses and no Search References.
The Active Directory Server has been set up here with an OU per site, with users under each OU. I believe this was for Group Policy reasons (but I suspect this may be unnecessary and could be achieved a different way)
Can anyone help me set up authldap to search multiple OUs and return a single result? Assuming the package I'm using is a few months out of date, is there anything in the latest release or CVS version for either using multiple bases or limiting search results(/using first search result)?
Thanks very much in advance for any help or advice!!
-- Oli Comber Systems Developer 3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team
4-10 Barttelot Rd Horsham West Sussex RH12 1DQ M: +44 (0)77255 82405 T: +44 (0)870 881 5097 F: +44 (0)870 116 0793
3aIT Limited is a company registered in England and Wales. CoReg: 3866698 VATReg: 771388600
Visit www.3aIT.co.uk for Design, Systems, Support
Disclaimer: The information contained within this email is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying or distribution of this email is prohibited and may be unlawful. The content of this email represents the views of the individual and not necessarily 3aIT Limited. 3aIT Limited reserves the right to monitor the content of all emails in accordance with lawful business practice. Whilst every effort is made to ensure that attachments are free from computer viruses before transmission, 3aIT Limited does not accept any liability in respect of any virus that is not detected. 3aIT Limited
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ courier-users mailing list cour...@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users