Re: [exim] Compiling and using exim with LDAP on Solaris wit…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Robert Bannocks
Dátum:  
Címzett: Christian Kuehn
CC: exim-users
Tárgy: Re: [exim] Compiling and using exim with LDAP on Solaris with Solarios LDAP libraries
The problem turned out to be that Exim cannot handle references coming
back from the AD ldap servers.
I hope fixing this is down on the TO-do list for exim.

To avoid this (as far as I can recollect this works for both Openldap
and Sun's LDAP libraries) then you need to use the Global Catalouge LDAP
(GCs) server which hold all the info you need and do not confuse Exim
with references. The GCs run on port 3268. So you need your
ldap_default_servers as

ldap_default_servers =< domain-control1.yoursite.com:3268

Or an equivlent string in the query

Hope that helps.

Regards

RB
> -----Original Message-----
> From: Christian Kuehn [mailto:christian@hamburg.gay-web.de]
> Sent: 04 December 2006 15:14
> To: Robert Bannocks
> Cc: exim-users@???
> Subject: Re: [exim] Compiling and using exim with LDAP on
> Solaris with Solarios LDAP libraries
>
> I have the same problem now, libldap from Solaris10 returns
> the correct answer, but the return-code 94 and the exim-lookup fails.
>
> Any solutions ??
>
> Kind Regards
> Christian
>
> Robert Bannocks wrote:
> > I have build EXIM with LDAP support from Solaris. There is
> a problem
> > however - Exim or the solaris LDAP libraries
> >
> > Do not follow referrals correctly. I have compiled exim
> against Open
> > ldap and the referrals work here.
> >
> >
> >
> > I will detail what I am finding.
> >
> >
> >
> >
> >
> > /usr/bin/ldapsearch -h somehost -w 'password' -D
> > 'CN=someuser,OU=someou,DC=nhm,DC=ac,DC=uk' -b
> 'DC=nhm,dc=ac,dc=uk' -R
> >
> '(&(objectclass=person)(&(sAMAccountName=tested-user)(msExchUserAccoun
> > tC ontrol=0)))' mail dn samaccountname; echo $?
> >
> > CN=Robert Bannocks,OU=SomeOU,DC=nhm,DC=ac,DC=uk
> >
> > mail=R.Bannocks@???
> >
> > sAMAccountName=robert
> >
> > ldap_parse_result: No results returned
> >
> > 1
> >
> >
> >
> > And the an error is returned - note this.
> >
> >
> >
> > Now with the openldap version of things
> >
> >
> >
> > /usr/local/opt/openldap/openldap-2.3.27/bin/ldapsearch -h
> somehost -w
> > password' -D 'CN=someuser,OU=someou,DC=nhm,DC=ac,DC=uk' -b
> > 'DC=nhm,dc=ac,dc=uk'
> >
> '(&(objectclass=person)(&(sAMAccountName=tested-user)(msExchUserAccoun
> > tC ontrol=0)))' mail dn samaccountname; echo $?
> >
> > # extended LDIF
> >
> > #
> >
> > # LDAPv3
> >
> > # base <DC=nhm,dc=ac,dc=uk> with scope subtree
> >
> > # filter:
> >
> (&(objectclass=person)(&(sAMAccountName=tested-user)(msExchUserAccount
> > Co
> > ntrol=0)))
> >
> > # requesting: mail dn samaccountname
> >
> > #
> >
> >
> >
> > # Robert Bannocks, SomeOU, nhm.ac.uk
> >
> > dn: CN=Robert Bannocks,OU=SomeOU,DC=nhm,DC=ac,DC=uk
> >
> > mail: R.Bannocks@???
> >
> > sAMAccountName: robert
> >
> >
> >
> > # search reference
> >
> > ref: ldap://nhm.ac.uk/CN=Some Configuration,DC=nhm,DC=ac,DC=uk
> >
> >
> >
> > # search result
> >
> > search: 2
> >
> > result: 0 Success
> >
> >
> >
> > # numResponses: 3
> >
> > # numEntries: 1
> >
> > # numReferences: 1
> >
> > 0
> >
> >
> >
> > Here the exit code is 0 and there has been a reference.
> When it comes
> > to using EXIM I have a router as follows:
> >
> >
> >
> > ad_router:
> >
> > driver=redirect
> >
> > hide condition = ${lookup ldapdn { user=someuser pass=password \
> >
> >
> >
> ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=${quote_ldap:$local_pa
> > rt
> > })}}
> >
> >
> >
> > data = $local_part@???
> >
> > no_more
> >
> >
> >
> > This validates the recipient user addresses in LDAP.
> >
> >
> >
> > With the version of EXIM compiled against OpenLDAP this works:
> >
> >
> >
> > 17:26:28 18195 --------> ad_router router <--------
> >
> > 17:26:28 18195 local_part=tested-user domain=somesubdomain.nhm.ac.uk
> >
> > 17:26:28 18195 checking "condition"
> >
> > 17:26:28 18195 expanding: $local_part
> >
> > 17:26:28 18195    result: tested-user

> >
> > 17:26:28 18195 expanding: user=someuser pass=password
> >
> ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=${quote_ldap:$local_pa
> > rt
> > })
> >
> > 17:26:28 18195    result:  user=someuser pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=tested-user)

> >
> > 17:26:28 18195 search_open: ldapdn "NULL"
> >
> > 17:26:28 18195 search_find: file="NULL"
> >
> > 17:26:28 18195 key="user=someuser pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=tested-user)"
> > partial=-1 affix=NULL starflags=0
> >
> > 17:26:28 18195 LRU list:
> >
> > 17:26:28 18195 internal_search_find: file="NULL"
> >
> > 17:26:28 18195 type=ldapdn key="user=someuser pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=tested-user)"
> >
> > 17:26:28 18195 database lookup required for user=someuser
> > pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=tested-user)
> >
> > 17:26:28 18195 LDAP parameters: user=Someuser pass=password size=0
> > time=0 connect=0 dereference=0 referrals=on
> >
> > 17:26:28 18195 perform_ldap_search: ldapdn URL =
> > "ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=tested-user)"
> > server=somehost.nhm.ac.uk port=0 sizelimit=0 timelimit=0 tcplimit=0
> >
> > 17:26:28 18195 after ldap_url_parse: host=someuser.nhm.ac.uk port=0
> >
> > 17:26:28 18195 ldap_initialize with URL
> ldap://somehost.nhm.ac.uk:389/
> >
> > 17:26:28 18195 initialized for LDAP (v3) server
> somehost.nhm.ac.uk:389
> >
> > 17:26:28 18195 LDAP_OPT_X_TLS_TRY set
> >
> > 17:26:28 18195 binding with user=Someuser password=password
> >
> > 17:26:28 18195 Start search
> >
> > 17:26:28 18195 ldap_result loop
> >
> > 17:26:28 18195 LDAP entry loop
> >
> > 17:26:28 18195 search ended by ldap_result yielding 115
> >
> > 17:26:28 18195 ldap_parse_result: -14
> >
> > 17:26:28 18195 ldap_parse_result yielded 0: Success
> >
> > 17:26:28 18195 LDAP search: returning: CN=Robert
> > Bannocks,OU=SomeOU,DC=nhm,DC=ac,DC=uk
> >
> > 17:26:28 18195 lookup yielded: CN=Robert
> > Bannocks,OU=SomeOU,DC=nhm,DC=ac,DC=uk
> >
> > 17:26:28 18195 expanding: ${lookup ldapdn { user=Someuser
> > pass=password
> >
> ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=${quote_ldap:$local_pa
> > rt
> > })}}
> >
> > 17:26:28 18195    result: CN=Robert
> > Bannocks,OU=SomeOU,DC=nhm,DC=ac,DC=uk

> >
> > 17:26:28 18195 calling ad_router router
> >
> > 17:26:28 18195 rda_interpret (string): $local_part@???
> >
> > 17:26:28 18195 expanding: $local_part@???
> >
> > 17:26:28 18195    result: tested-user@???

> >
> > 17:26:28 18195 expanded: tested-user@???
> >
> > 17:26:28 18195 file is not a filter file
> >
> > 17:26:28 18195 parse_forward_list: tested-user@???
> >
> > 17:26:28 18195 extract item: tested-user@???
> >
> > 17:26:28 18195 ad_router router generated tested-user@???
> >
> > 17:26:28 18195 errors_to=NULL transport=NULL
> >
> > 17:26:28 18195 uid=unset gid=unset home=NULL
> >
> > 17:26:28 18195 routed by ad_router router
> >
> > 17:26:28 18195 envelope to: tested-user@???
> >
> > 17:26:28 18195 transport: <none>
> >
> > 17:26:28 18195 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> >
> > 17:26:28 18195 Considering tested-user@???
> >
> > 17:26:28 18195 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> >
> >
> >
> > Output cut but Exim sucessfullt follows the reroute.
> >
> >
> >
> > With the version compiled against Solaris LDAP libraries on
> the same
> > test I get:
> >
> >
> >
> > 17:34:52 18202 Testing someuser@???
> >
> > 17:34:52 18202 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> >
> > 17:34:52 18202 Considering someuser@???
> >
> > 17:34:52 18202 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> >
> > 17:34:52 18202 routing someuser@???
> >
> > 17:34:52 18202 --------> dnslookup router <--------
> >
> > 17:34:52 18202 local_part=someuser domain=somesubdomain.nhm.ac.uk
> >
> > 17:34:52 18202 checking domains
> >
> > 17:34:52 18202 somesubdomain.nhm.ac.uk in "@"? yes (matched "@")
> >
> > 17:34:52 18202 somesubdomain.nhm.ac.uk in "! +local_domains"? no
> > (matched "! +local_domains")
> >
> > 17:34:52 18202 dnslookup router skipped: domains mismatch
> >
> > 17:34:52 18202 --------> ad_router router <--------
> >
> > 17:34:52 18202 local_part=someuser domain=somesubdomain.nhm.ac.uk
> >
> > 17:34:52 18202 checking "condition"
> >
> > 17:34:52 18202 expanding: $local_part
> >
> > 17:34:52 18202    result: someuser

> >
> > 17:34:52 18202 expanding: user=Someuser pass=password
> >
> ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=${quote_ldap:$local_pa
> > rt
> > })
> >
> > 17:34:52 18202    result:  user=Someuser pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)

> >
> > 17:34:52 18202 search_open: ldapdn "NULL"
> >
> > 17:34:52 18202 search_find: file="NULL"
> >
> > 17:34:52 18202 key="user=Someuser pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)"
> partial=-1
> > affix=NULL starflags=0
> >
> > 17:34:52 18202 LRU list:
> >
> > 17:34:52 18202 internal_search_find: file="NULL"
> >
> > 17:34:52 18202 type=ldapdn key="user=Someuser pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)"
> >
> > 17:34:52 18202 database lookup required for user=Someuser
> > pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)
> >
> > 17:34:52 18202 LDAP parameters: user=Someuser pass=password size=0
> > time=0 connect=0 dereference=0 referrals=on
> >
> > 17:34:52 18202 perform_ldap_search: ldapdn URL =
> > "ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)"
> > server=somehost.nhm.ac.uk port=0 sizelimit=0 timelimit=0 tcplimit=0
> >
> > 17:34:52 18202 after ldap_url_parse: host=somehost.nhm.ac.uk port=0
> >
> > 17:34:52 18202 initialized for LDAP (v3) server
> somehost.nhm.ac.uk:389
> >
> > 17:34:52 18202 binding with user=Someuser password=password
> >
> > 17:34:52 18202 Start search
> >
> > 17:34:52 18202 ldap_result loop
> >
> > 17:34:52 18202 LDAP entry loop
> >
> > 17:34:52 18202 search ended by ldap_result yielding 115
> >
> > 17:34:52 18202 ldap_parse_result: 94
> >
> > 17:34:52 18202 ldap_parse_result yielded 115: Unknown error
> >
> > 17:34:52 18202 LDAP search failed - error 115: Unknown error
> >
> > 17:34:52 18202 lookup deferred: LDAP search failed - error 115:
> > Unknown error
> >
> > 17:34:52 18202 failed to expand: ${lookup ldapdn { user=Someuser
> > pass=password
> >
> ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=${quote_ldap:$local_pa
> > rt
> > })}}
> >
> > 17:34:52 18202    error message: lookup of "user=Someuser 
> pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)" 
> gave DEFER:
> > LDAP search failed - error 115: Unknown error

> >
> > 17:34:52 18202 condition check lookup defer
> >
> > someuser@??? cannot be resolved at this time:
> >
> > condition check lookup defer
> >
> > 17:34:52 18202 search_tidyup called
> >
> > 17:34:52 18202 unbind LDAP connection to somehost.nhm.ac.uk:389
> >
> > 17:34:52 18202 >>>>>>>>>>>>>>>> Exim pid=18202 terminating with rc=1
> >
> >
> >
> > The key difference here is the part:
> >
> >
> >
> > 17:34:52 18202 search ended by ldap_result yielding 115
> >
> > 17:34:52 18202 ldap_parse_result: 94
> >
> > 17:34:52 18202 ldap_parse_result yielded 115: Unknown error
> >
> > 17:34:52 18202 LDAP search failed - error 115: Unknown error
> >
> > 17:34:52 18202 lookup deferred: LDAP search failed - error 115:
> > Unknown error
> >
> > 17:34:52 18202 failed to expand: ${lookup ldapdn { user=Someuser
> > pass=password
> >
> ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=${quote_ldap:$local_pa
> > rt
> > })}}
> >
> > 17:34:52 18202    error message: lookup of "user=Someuser 
> pass=password
> > ldap:///DC=nhm,DC=ac,DC=uk??sub?(sAMAccountName=someuser)" 
> gave DEFER:
> > LDAP search failed - error 115: Unknown error

> >
> > 17:34:52 18202 condition check lookup defer
> >
> > someuser@??? cannot be resolved at this time:
> >
> > condition check lookup defer
> >
> > 17:34:52 18202 search_tidyup called
> >
> > 17:34:52 18202 unbind LDAP connection to somehost.nhm.ac.uk:389
> >
> > 17:34:52 18202 >>>>>>>>>>>>>>>> Exim pid=18202 terminating with rc=1
> >
> >
> >
> > I would much prefer to have LDAP compiled against Solaris' LDAP
> > libraries. Can anyone assist.
> >
> >
> >
> > Regards.
> >
> >
> >
> > Rob
> >
> >
> >
> >
> >
>
> --
> Christian Kuehn
> Manstadtsweg 8, 22309 Hamburg
> Tel. +49 40 40197232
> Fax. +49 40 40197230
> eMail: christian@???
>