Return-path: Envelope-to: cjackson@localsurface.com Delivery-date: Wed, 20 Aug 2003 21:25:51 -0500 Received: from [141.211.2.230] (helo=listserver.gpcc.itd.umich.edu) by mail.localsurface.com with smtp (Exim 4.20) id 19pf94-0003lN-QA for cjackson@localsurface.com; Wed, 20 Aug 2003 21:25:51 -0500 Received: from enforcer.mr.itd.umich.edu ([141.211.14.42]) by listserver.gpcc.itd.umich.edu with SMTP (Lyris ListManager SOLARIS/SPARC version 7.0); Wed, 20 Aug 2003 22:25:47 -0400 Received: (from daemon@localhost) by enforcer.mr.itd.umich.edu (3.6u) with LDAP id h7L2PlE09703 for ldap@listserver.itd.umich.edu; Wed, 20 Aug 2003 22:25:47 -0400 (EDT) Received: (from daemon@localhost) by enforcer.mr.itd.umich.edu (3.6u) with X.500 id h7L2PlB09700 for ldap-members@umich.edu; Wed, 20 Aug 2003 22:25:47 -0400 (EDT) Received: from mail.localsurface.com (ip-66-186-241-25.eatel.net [66.186.241.25]) by enforcer.mr.itd.umich.edu (3.6u) with ESMTP id h7L2Pf209665 for ; Wed, 20 Aug 2003 22:25:46 -0400 (EDT) Received: from [10.1.1.3] (helo=www.localsurface.com ident=cjackson) by mail.localsurface.com with esmtp (Exim 4.20) id 19pf8u-0003lK-Hr for ldap@umich.edu; Wed, 20 Aug 2003 21:25:40 -0500 From: Craig Jackson Reply-To: cjackson@localsurface.com Organization: localsurface To: ldap@umich.edu Subject: [ldap] Beginner issue Date: Wed, 20 Aug 2003 21:25:39 -0500 User-Agent: KMail/1.5.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: List-Unsubscribe: X-URL: List-Subscribe: X-UID: 309 I want to set up multiple domain Exim/Courier-imap with LDAP backend and have read a lot on this but can't get LDAP setup quite right. I think the tree should look like this:: dc=localsurface,dc=com | | o=hosting | | ou=domain.org ___ou=domain.com | | | | user@domain.org user@domain.com I use this ldif file to create this database: # Define LDAP Domain dn: dc=localsurface,dc=com dc: localsurface o: hosts objectClass: top objectClass: dcObject objectClass: organization # Define LDAP Admin dn: cn=admin,dc=localsurface,dc=com cn: admin objectClass: top objectClass: organizationalRole description: LDAP Directory Administrator # Define LDAP Root dn: o=hosts,dc=localsurface,dc=com o: hosts objectClass: top objectClass: organization description: Organization Name # Domain 1 dn: ou=domain.org,dc=localsurface,dc=com ou: domain.org objectClass: top objectClass: organizationalUnit description: Hosted Domain domain.org # Domain 2 dn: ou=domain.com,dc=localsurface,dc=com ou: domain.com objectClass: top objectClass: organizationalUnit description: Hosted Domain domain.com # User 1 dn: cn=Craig Jackson,ou=domain.com,dc=localsurface,dc=com cn: Craig Jackson objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: CourierMailAccount mail: cjackson@localsurface.com givenname: Craig sn: Jackson ou: domain.com clearPassword: tux homeDirectory: /home/vmail/domain.com/c/cjackson # User 2 dn: cn=testuser,ou=domain.com,dc=localsurface,dc=com cn: testuser objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: CourierMailAccount mail: testuser@localsurface.com givenname: test sn: user ou: domain.com clearPassword: tux homeDirectory: /home/vmail/domain.com/t/testuser It works OK except the seach base must be Domain X to search Domain X. I would like the search base to be the LDAP root so that when a user authenticates, he can be found in any of the domains. I have seen several similar implementations of this and each gives me errors of one sort or another. My slapd.conf looks like this: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/authldap.schema schemacheck on # allow bind_v2 pidfile /usr/local/var/slapd.pid argsfile /usr/local/var/slapd.args ############################################ # ldbm database definitions ############################################ database bdb suffix "dc=localsurface,dc=com" rootdn "cn=admin,dc=localsurface,dc=com" rootpw {SSHA}jPwt/Q2vcIJtq9rplr76n4iGJk9qJsP8 directory /usr/local/var/openldap-data # mode 0600 # Indices to maintain # Squirrelmail LDAP plug-in uses this index objectClass eq index cn,sn,mail,givenname,uid eq ############################################# ############################################# #access Control list #prevents users from looking at passwords access to dn=".*,ou=([^,]+),dc=localsurface,dc=com" attr=clearPassword by self write by group/organizationalRole/roleOccupant="cn=postmaster,\ ou=$1,dc=localsurface,dc=com" write by anonymous auth by * none #filters need access to this access to attr=accountStatus by dn="cn=admin,dc=localsurface,dc=com" read access to * by dn="cn=admin,dc=localsurface,dc=com" write by self write by users read by * read # EOF Also a user cannot authenticate to search. I get this: mail:/usr/local/etc/openldap/ldif# ldapsearch -v -x -D "cn=testuser,ou=localsurface.com,dc=localsurface,dc=com" -b "ou=localsurface.com,dc=localsurface,dc=com" -W "cn=testuser" cn mail ldap_initialize( ) Enter LDAP Password: ldap_bind: Inappropriate authentication (48) I would deeply appreciate a humiliating explanation of my errors. Thanks, Craig Jackson --- You are currently subscribed to ldap@umich.edu as: [cjackson@localsurface.com] To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the SUBJECT of the message.