Software
 » 
LDAP
 » 
PADL Lists
 » 
PAM LDAP

Searching a different ou

View: New views
5 Messages — Rating Filter:   Alert me  

Searching a different ou

by The_Q :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,

      In order to reduce the number of spam e-mails that our users get, I have been working on setting up a new mail server for the college that I work for. Users' information is stored in LDAP and postfix authenticates mail users through PAM, which in turn uses its LDAP module. This works for the majority of the email accounts, with postfix rejecting invalid users and accepting those that do have an account. However, there are a few email accounts that are shared by several individuals and are stored differently in ldap.  The users that are able to properly have mail delivered to them return the following when I perform an LDAP search:

dn: cn=someuser,ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu

While those that have mail rejected by postfix return this:

dn: cn=someuser,ou=mail,ou=caedm,dc=et,dc=byu,dc=edu

with the cn being replaced by the various user trying to send or receive mail.

      To figure out why the difference of ou=accounts and ou=mail did not cause a problem with the mail servers that were previoiusly in production, I checked the logs on the ldap server, and the following is the query that is sent by the new mail server

slapd[5678]: conn=1410207 op=35 SRCH base="ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=someuser))"

and this is the query sent by the old mail server.

slapd[5683]: conn=1435049 op=2 SRCH base="ou=caedm,dc=et,dc=byu,dc=edu" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=someuser))"

       My question is where is it that I would specify to search using only "ou=caedm" rather that "ou=accounts,ou=caedm" so that these users can use mail on the new server. The /etc/ldap.conf file is identical between the old and new mail servers, and I'm not sure where else to look.

Thanks in advance

Re: Searching a different ou

by Andrew Morgan :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Mon, 16 Apr 2007, The_Q wrote:

> Hi,
>
>      In order to reduce the number of spam e-mails that our users get, I
> have been working on setting up a new mail server for the college that I
> work for. Users' information is stored in LDAP and postfix authenticates
> mail users through PAM, which in turn uses its LDAP module. This works for
> the majority of the email accounts, with postfix rejecting invalid users and
> accepting those that do have an account. However, there are a few email
> accounts that are shared by several individuals and are stored differently
> in ldap.  The users that are able to properly have mail delivered to them
> return the following when I perform an LDAP search:
>
> dn: cn=someuser,ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu
>
> While those that have mail rejected by postfix return this:
>
> dn: cn=someuser,ou=mail,ou=caedm,dc=et,dc=byu,dc=edu
>
> with the cn being replaced by the various user trying to send or receive
> mail.
>
>      To figure out why the difference of ou=accounts and ou=mail did not
> cause a problem with the mail servers that were previoiusly in production, I
> checked the logs on the ldap server, and the following is the query that is
> sent by the new mail server
>
> slapd[5678]: conn=1410207 op=35 SRCH
> base="ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=someuser))"
>
> and this is the query sent by the old mail server.
>
> slapd[5683]: conn=1435049 op=2 SRCH base="ou=caedm,dc=et,dc=byu,dc=edu"
> scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=someuser))"
>
>       My question is where is it that I would specify to search using only
> "ou=caedm" rather that "ou=accounts,ou=caedm" so that these users can use
> mail on the new server. The /etc/ldap.conf file is identical between the old
> and new mail servers, and I'm not sure where else to look.

Debian Linux puts the pam-ldap config in /etc/pam_ldap.conf.  You don't
say which Linux distro you are using, but perhaps your distro is doing
something similar?

  Andy

Re: Searching a different ou

by The_Q :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Both the old and the new servers are using debian, but both are using the same/etc/ldap.conf file. If I edit the base line in the /etc/ldap.conf file from

base dc=et,dc=byu,dc=edu

to

base ou=caedm,dc=et,dc=byu,dc=edu

none of the users are able to authenticate.


Perhaps it is these entries that are to blame? I don't see anywhere else in the file where ou=caedm has been specified, but even on these lines, it doesn't specify to search with ou=accounts.

nss_base_passwd ou=caedm,dc=et,dc=byu,dc=edu?sub
nss_base_shadow ou=caedm,dc=et,dc=byu,dc=edu?sub
nss_base_group ou=groups,ou=caedm,dc=et,dc=byu,dc=edu?sub



On 4/17/07, Andrew Morgan <morgan@...> wrote:
On Mon, 16 Apr 2007, The_Q wrote:

> Hi,
>
>      In order to reduce the number of spam e-mails that our users get, I
> have been working on setting up a new mail server for the college that I
> work for. Users' information is stored in LDAP and postfix authenticates

> mail users through PAM, which in turn uses its LDAP module. This works for
> the majority of the email accounts, with postfix rejecting invalid users and
> accepting those that do have an account. However, there are a few email
> accounts that are shared by several individuals and are stored differently
> in ldap.  The users that are able to properly have mail delivered to them
> return the following when I perform an LDAP search:
>
> dn: cn=someuser,ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu
>
> While those that have mail rejected by postfix return this:
>
> dn: cn=someuser,ou=mail,ou=caedm,dc=et,dc=byu,dc=edu

>
> with the cn being replaced by the various user trying to send or receive
> mail.
>
>      To figure out why the difference of ou=accounts and ou=mail did not
> cause a problem with the mail servers that were previoiusly in production, I
> checked the logs on the ldap server, and the following is the query that is
> sent by the new mail server
>
> slapd[5678]: conn=1410207 op=35 SRCH
> base="ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=someuser))"
>
> and this is the query sent by the old mail server.
>
> slapd[5683]: conn=1435049 op=2 SRCH base="ou=caedm,dc=et,dc=byu,dc=edu"
> scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=someuser))"
>
>       My question is where is it that I would specify to search using only
> "ou=caedm" rather that "ou=accounts,ou=caedm" so that these users can use
> mail on the new server. The /etc/ldap.conf file is identical between the old
> and new mail servers, and I'm not sure where else to look.

Debian Linux puts the pam-ldap config in /etc/pam_ldap.conf.  You don't
say which Linux distro you are using, but perhaps your distro is doing
something similar?

        Andy



--
Quentin Smith

Re: Searching a different ou

by Andrew Morgan :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Tue, 17 Apr 2007, Quentin Smith wrote:

> Both the old and the new servers are using debian, but both are using the
> same/etc/ldap.conf file. If I edit the base line in the /etc/ldap.conf file
> from
>
> base dc=et,dc=byu,dc=edu
>
> to
>
> base ou=caedm,dc=et,dc=byu,dc=edu
>
> none of the users are able to authenticate.
>
>
> Perhaps it is these entries that are to blame? I don't see anywhere else in
> the file where ou=caedm has been specified, but even on these lines, it
> doesn't specify to search with ou=accounts.
>
> nss_base_passwd ou=caedm,dc=et,dc=byu,dc=edu?sub
> nss_base_shadow ou=caedm,dc=et,dc=byu,dc=edu?sub
> nss_base_group ou=groups,ou=caedm,dc=et,dc=byu,dc=edu?sub

Debian's packages for libnss-ldap and libpam-ldap do NOT use
/etc/ldap.conf.  That file is for configuring your OpenLDAP server.  Have
a look at /etc/pam_ldap.conf and /etc/libnss-ldap.conf.

  Andy

Re: Searching a different ou

by The_Q :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Thanks Andy, on the new server, there is in fact a libnss_ldap.conf file, while on the old there is not. Editing the following lines from

nss_base_passwd ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu?sub
nss_base_shadow ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu?sub

to

nss_base_passwd ou=caedm,dc=et,dc=byu,dc=edu?sub
nss_base_shadow ou=caedm,dc=et,dc=byu,dc=edu?sub

fixed the problem. Thank you all for your help.




On 4/17/07, Andrew Morgan <morgan@...> wrote:
On Tue, 17 Apr 2007, Quentin Smith wrote:

> Both the old and the new servers are using debian, but both are using the
> same/etc/ldap.conf file. If I edit the base line in the /etc/ldap.conf file
> from
>
> base dc=et,dc=byu,dc=edu
>
> to
>
> base ou=caedm,dc=et,dc=byu,dc=edu
>
> none of the users are able to authenticate.
>
>
> Perhaps it is these entries that are to blame? I don't see anywhere else in
> the file where ou=caedm has been specified, but even on these lines, it
> doesn't specify to search with ou=accounts.
>
> nss_base_passwd ou=caedm,dc=et,dc=byu,dc=edu?sub
> nss_base_shadow ou=caedm,dc=et,dc=byu,dc=edu?sub
> nss_base_group ou=groups,ou=caedm,dc=et,dc=byu,dc=edu?sub

Debian's packages for libnss-ldap and libpam-ldap do NOT use
/etc/ldap.conf.  That file is for configuring your OpenLDAP server.  Have
a look at /etc/pam_ldap.conf and /etc/libnss- ldap.conf.

        Andy



--
Quentin Smith
Free Forum Powered by Nabble Forum Help