authldap active directory with multiple OUs

Hi guys,

I'm hoping someone here can help me stop tearing my hair out trying to
authenticate against an Active Directory Server with authldap!

I was originally trying to build an Ubuntu Hardy mailserver,
authenticating and getting user details from AD.  This seemed to be
working, but was intermittent.

When I installed the ldap-auth-config package, which is a meta package
pulling in the pam and nss ldap elements and helps me configure them, it
seemed to stop being intermittent.  Didn't fully understand this, but...

Due to a policy change, we decided here to deploy against Ubuntu/Jaunty,
so I've built a new test/dev server exactly the same, and found I cannot
get it to auth.  Trying the old server, I find it _is_ still
intermittent, not fixed - just a bit better.  Odd.

The Jaunty package authldap is 0.61.0-1+lenny and the Hardy version is
0.60.1-1ubuntu

What I have worked out today is it is to do with the search base:  I
have many OUs in my AD, and if I set it to EXACTLY the right search base
('OU=Users,OU=Horsham Group,DC=willsandco,DC=com') then I get one result
back and all is well with the world - on BOTH old and new versions.

If I set the searchbase to 'DC=willsandco,DC=com', authldap fails
outright on new one and becomes intermittent on the old.

Doing each search using ldapsearch gives me a small clue: I can use
either base and get a response, BUT the wider search base tells me there
were actually 5 responses:

ldapsearch -x -D cn=Administrator,cn=Users,dc=willsandco,dc=com -W
'(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))'

# extended LDIF
#
# LDAPv3
# base <dc=willsandco,dc=com> (default) with scope subtree
# filter:
(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))
# requesting: ALL
#

# Oli Comber, Users, Horsham Group, willsandco.com
dn: CN=Oli Comber,OU=Users,OU=Horsham Group,DC=willsandco,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Oli Comber
sn: Comber
description: IT
givenName: Oli
distinguishedName: CN=Oli Comber,OU=Users,OU=Horsham
Group,DC=willsandco,DC=co
 m
instanceType: 4
whenCreated: 20081202141439.0Z
whenChanged: 20091012105255.0Z
displayName: Oli Comber
uSNCreated: 892005
memberOf: CN=IT,OU=UserGroups,DC=willsandco,DC=com
uSNChanged: 2370039
name: Oli Comber
objectGUID:: jYZhd0Ajek2fK69c2iYwTA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\pluto\HomeDirs\ocomber
homeDrive: Z:
badPasswordTime: 128994631088125000
lastLogoff: 0
lastLogon: 128994631117968750
pwdLastSet: 128993081843125000
primaryGroupID: 513
profilePath: \\venus\Profiles$\ocomber
objectSid:: AQUAAAAAAAUVAAAA9cRKrEAQsk8VFDDuWAgAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: ocomber
sAMAccountType: 805306368
userPrincipalName: ocomber@...
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=willsandco,DC=com
dSCorePropagationData: 20090421140127.0Z
dSCorePropagationData: 20090421140127.0Z
dSCorePropagationData: 20090421140127.0Z
dSCorePropagationData: 20090421135004.0Z
dSCorePropagationData: 16010108151056.0Z
lastLogonTimestamp: 128998183757656250
mail: oli@...

# search reference
ref:
ldap://DomainDnsZones.willsandco.com/DC=DomainDnsZones,DC=willsandco,DC=c
 om

# search reference
ref:
ldap://ForestDnsZones.willsandco.com/DC=ForestDnsZones,DC=willsandco,DC=c
 om

# search reference
ref: ldap://willsandco.com/CN=Configuration,DC=willsandco,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

So I suspect my search is returning multiple results, where results are
all smoke and mirrors coming from different parts of the tree, hence the
"references".  This is held up by the result of the search with a more
restrictive base:

ldapsearch -x -D cn=Administrator,cn=Users,dc=willsandco,dc=com -W
'(&(&(objectClass=user)(userAccountControl=512))(sAMAccountName=ocomber))'
-b "OU=Users,OU=Horsham Group,dc=willsandco,dc=com"

The last bit reads:
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

- Only 2 numResponses and no Search References.

The Active Directory Server has been set up here with an OU per site,
with users under each OU.  I believe this was for Group Policy reasons
(but I suspect this may be unnecessary and could be achieved a different
way)

Can anyone help me set up authldap to search multiple OUs and return a
single result?  Assuming the package I'm using is a few months out of
date, is there anything in the latest release or CVS version for either
using multiple bases or limiting search results(/using first search result)?

Thanks very much in advance for any help or advice!!

Cheers,
-Oli



--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team

4-10 Barttelot Rd   Horsham   West Sussex   RH12 1DQ
M: +44 (0)77255 82405   T: +44 (0)870 881 5097   F: +44 (0)870 116 0793

3aIT Limited is a company registered in England and Wales.
CoReg: 3866698   VATReg: 771388600


Visit www.3aIT.co.uk for Design, Systems, Support

Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
 3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
courier-users@...
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Oli writes:

> Can anyone help me set up authldap to search multiple OUs and return a
> single result?

If you have multiple LDAP hierarchy trees, your LDAP design is not correct.
Correct LDAP design uses a single LDAP hierarchy root.

>                Assuming the package I'm using is a few months out of
> date, is there anything in the latest release or CVS version for either
> using multiple bases or limiting search results(/using first search result)?

No. You'll need to redesign your LDAP schema so that all relevant records
are stored under a single root.



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
courier-users@...
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Cool, thanks Sam.

Sam Varshavchik wrote:
> Oli writes:
>
>> Can anyone help me set up authldap to search multiple OUs and return a
>> single result?
>
> If you have multiple LDAP hierarchy trees, your LDAP design is not
> correct. Correct LDAP design uses a single LDAP hierarchy root.

Yeah, I thought this might be the case.  This is Active Directory
though, so it's probably not exactly a clean LDAP design...

I'm not sure I quite follow though - there's one LDAP root, but several
OUs.  The objects I'm searching for _appear_ to exist under several
places...but this may not be the case and maybe I'm doing something else
a bit wrong.  It's a bit hard to tell.  I'll try out phpldapadmin
against the Active Directory, it might give me a bit more insight into
how it's structured.


>
>>                Assuming the package I'm using is a few months out of
>> date, is there anything in the latest release or CVS version for either
>> using multiple bases or limiting search results(/using first search
>> result)?
>
> No. You'll need to redesign your LDAP schema so that all relevant
> records are stored under a single root.

I'll have a go.  Thanks for your help :-)

Cheers,
-Oli


--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team

4-10 Barttelot Rd   Horsham   West Sussex   RH12 1DQ
M: +44 (0)77255 82405   T: +44 (0)870 881 5097   F: +44 (0)870 116 0793

3aIT Limited is a company registered in England and Wales.
CoReg: 3866698   VATReg: 771388600


Visit www.3aIT.co.uk for Design, Systems, Support

Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
 3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
courier-users@...
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Please excuse replying to my own post, and the top-posting... I think
I've cracked it and this may help someone else out.

Oli wrote:
This was the clue - the AD server is giving us referrals which need
chasing.  After much putting of debug code in courier-authlib and
general hacking around, I found the options being passed were all the
same as for ldapsearch, but the way it works is a little different.

I started setting various LDAP_ options for debugging, restarting failed
connections etc, and also printing out the error responses from
ldap_search_ext_s (useless - just tells me 'Operations Error')

Then I stumbled across this in the manual page:
"The  LDAP  libraries  with  the  LDAP_OPT_REFERRALS   option   set   to
LDAP_OPT_ON  (default  value)  automatically  follow referrals using an
anonymous bind.  Application developers are encouraged to either
implement consistent referral chasing features, or explicitly disable
referral chasing by setting that option to LDAP_OPT_OFF."

As soon as I set the option for not implicitly chasing referrals, I get
the correct result.

So basically, I need to allow anonymous binds to my AD, or for
Courier-authlib to not implicitly chase referrals, or for it to
explicitly chase but rebind properly to each URL.

If I get a chance, I'll try to patch in an option for turning off
implicit referral chasing from the config file.

Hope this is useful to someone :-)

Cheers,
-Oli



--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team

4-10 Barttelot Rd   Horsham   West Sussex   RH12 1DQ
M: +44 (0)77255 82405   T: +44 (0)870 881 5097   F: +44 (0)870 116 0793

3aIT Limited is a company registered in England and Wales.
CoReg: 3866698   VATReg: 771388600


Visit www.3aIT.co.uk for Design, Systems, Support

Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
 3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
courier-users@...
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

And just for REALLY bad list form, one more top post in case it's helpful:

This is on Windows Server 2003, and allowing anonymous bind requires a
nasty registry change which we're not comfortable with here.

To make this work, we're merging the OUs and doing the group policy a
different way - which means we'll be able to search from a base of
ou=WillsUsers,dc=willsandco,dc=com and get NO referrals.

I suspect any search using a base = the real LDAP base of the AD server
will generate referrals and will currently fail with courier-authlib
('0.61.0-1+lenny1ubuntu1' - Jaunty).

If you need authlib to search from the real base, you'll need it to be
patched as described below - no referrals or doing its own authenticated
referral chasing.

Hope this helps someone out :-)

Cheers,
-Oli



Oli wrote:
<snip>
--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team

4-10 Barttelot Rd   Horsham   West Sussex   RH12 1DQ
M: +44 (0)77255 82405   T: +44 (0)870 881 5097   F: +44 (0)870 116 0793

3aIT Limited is a company registered in England and Wales.
CoReg: 3866698   VATReg: 771388600


Visit www.3aIT.co.uk for Design, Systems, Support

Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
 3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
courier-users@...
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users