Loading ...
Sorry, an error occurred while loading the content.

turn on bind when quering ldap referral

Expand Messages
  • Reinaldo de Carvalho
    Hi, A company have a active directory with sub-domains and when postfix query the main ldap server, if user don t present on this server, its receive referrals
    Message 1 of 3 , May 2, 2009
    • 0 Attachment
      Hi,

      A company have a active directory with sub-domains and when postfix
      query the main ldap server, if user don't present on this server, its
      receive referrals for sub-domains ldap servers. When turn on
      chase_referrals, postfix try connect to sub-domain ldap servers, but
      don't do bind operation, and can't query the servers.

      ldap_domain = example.com
      ldap_bind = yes
      ldap_bind_dn = rei@...
      ldap_bind_pw = password
      ldap_server_host = 192.168.4.13
      ldap_version = 3
      ldap_chase_referrals = yes
      ldap_search_base = DC=cdp
      ldap_query_filter = (&(objectClass=person)(sAMAccountName=%u))
      ldap_result_attribute = sAMAccountName
      ldap_result_format = %s@...

      Tcpdump...
      192.168.4.13 is a master ldap server
      192.168.2.7 is a sub-domain ldap server



      16:46:07.484330 IP 192.168.4.23.41888 > 192.168.4.13.389: P 1:42(41)
      ack 1 win 92 <nop,nop,timestamp 3415653 0>
      ......RAi......\.......
      .4.e....0'...`".....rei@.... password
      16:46:07.485520 IP 192.168.4.13.389 > 192.168.4.23.41888: P 1:23(22)
      ack 42 win 65494 <nop,nop,timestamp 15278934 3415653>
      ........i.....Rj.....j.....
      ..#V.4.e0........a.....
      ......

      ###### BIND OK ON MASTER #######


      16:46:07.485546 IP 192.168.4.23.41888 > 192.168.4.13.389: . ack 23 win
      92 <nop,nop,timestamp 3415654 15278934>
      ......Rji..,...\.......
      .4.f..#V
      16:46:07.486064 IP 192.168.4.23.41888 > 192.168.4.13.389: P
      42:152(110) ack 23 win 92 <nop,nop,timestamp 3415654 15278934>
      ......Rji..,...\.;.....
      .4.f..#V0l...cg..DC=cdp
      ..
      .......
      ..../....objectClass..person....sAMAccountName..rei0...sAMAccountName
      16:46:07.486304 IP 192.168.4.13.389 > 192.168.4.23.41888: P
      23:355(332) ack 152 win 65384 <nop,nop,timestamp 15278934 3415654>
      ........i..,..R....hM......
      ..#V.4.f0....;...s....2.0ldap://192.168.2.7/DC=pvc,DC=cdp0....Q...s....H.Fldap://ForestDnsZones.cdp/DC=ForestDnsZones,DC=cdp0....Q...s....H.Fldap://DomainDnsZones.cdp/DC=DomainDnsZones,DC=cdp0....A...s....8.6ldap://cdp/CN=Configuration,DC=cdp0........e.....
      ......
      16:46:07.486735 IP 192.168.4.23.37455 > 192.168.2.7.389: S
      3745197042:3745197042(0) win 5840 <mss 1460,sackOK,timestamp 3415654
      0,nop,wscale 6>
      E..<5.@.@.}..........O...;+..........%.........

      ###### GOT REFERRALS FROM MASTER #######

      E...5.@.@.}H.........O...;,...z4...\.......
      .4......0s...cn..DC=pvc,DC=cdp
      ..
      .......
      ..../....objectClass..person....sAMAccountName..rei0...sAMAccountName
      16:46:07.685929 IP 192.168.2.7.389 > 192.168.4.23.37455: P 23:196(173)
      ack 132 win 64109 <nop,nop,timestamp 13548259 3415688>
      E.....@.}.a............O..z4.;,v...m.......
      .....4..0........e.....
      ..........00000000: LdapErr: DSID-0C090627, comment: In order to
      perform this operation a successful bind must be completed on the
      connection., data 0, vece.


      ###### DON'T BIND ON 192.168.2.7 #######

      --
      Reinaldo de Carvalho
      http://korreio.sf.net
      http://python-cyrus.sf.net
    • Victor Duchovni
      ... Yes, Postfix has no crystal ball to predict what DN/password to use with a random referral server, so binding to referral servers is not supported. If you
      Message 2 of 3 , May 3, 2009
      • 0 Attachment
        On Sat, May 02, 2009 at 08:02:43PM -0300, Reinaldo de Carvalho wrote:

        > A company have a active directory with sub-domains and when postfix
        > query the main ldap server, if user don't present on this server, its
        > receive referrals for sub-domains ldap servers. When turn on
        > chase_referrals, postfix try connect to sub-domain ldap servers, but
        > don't do bind operation, and can't query the servers.

        Yes, Postfix has no crystal ball to predict what DN/password to use with a
        random referral server, so binding to referral servers is not supported.

        If you use referrals, don't require binds. If you require binds, don't
        use referrals, and tell Postfix about which queries to send to which
        server(s).

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Reinaldo de Carvalho
        On Mon, May 4, 2009 at 2:09 AM, Victor Duchovni ... Hi Viktor, It would be interesting to have an option (in the libldap) to enable bind with same DN /
        Message 3 of 3 , May 4, 2009
        • 0 Attachment
          On Mon, May 4, 2009 at 2:09 AM, Victor Duchovni
          <Victor.Duchovni@...> wrote:
          > On Sat, May 02, 2009 at 08:02:43PM -0300, Reinaldo de Carvalho wrote:
          >
          >> A company have a active directory with sub-domains and when postfix
          >> query the main ldap server, if user don't present on this server, its
          >> receive referrals for sub-domains ldap servers. When turn on
          >> chase_referrals, postfix try connect to sub-domain ldap servers, but
          >> don't do bind operation, and can't query the servers.
          >
          > Yes, Postfix has no crystal ball to predict what DN/password to use with a
          > random referral server, so binding to referral servers is not supported.
          >
          > If you use referrals, don't require binds. If you require binds, don't
          > use referrals, and tell Postfix about which queries to send to which
          > server(s).
          >
          > --
          >        Viktor.
          >

          Hi Viktor,

          It would be interesting to have an option (in the libldap) to enable
          bind with same DN / password for referrals, or something like array
          with hostname/user/password (like a table lookup).

          Meanwhile is possible enable anonymous bind in target of referrals:
          http://www.novell.com/coolsolutions/appnote/15120.html

          []s

          --
          Reinaldo de Carvalho
          http://korreio.sf.net
          http://python-cyrus.sf.net
        Your message has been successfully submitted and would be delivered to recipients shortly.