Re: querying MS-Exchange Server ?

[John Morrissey <jwm@horde.net>]

On Fri, Dec 28, 2001 at 03:53:39PM -0600, SSL wrote:
% The Win2000 techie said, "Oh, you're not getting the MS-Exchange
% users because it's acting as an Active Directory server" (or
% something like that), and told me to do the search based
% on the Global Catalog called "blahblah" (this is a made-up
% name).  It happens that one of the records returned by
% the generic query (objectClass=*) has DC=blahblah.
% 
% Now, I'm lost as to how to set the "Global Catalog" in
% an ldapsearch query.
% 
% He also said that the the directory (based on Global Catalog
% blahblah) wasn't publicly viewable, and that only MS-Exchange
% users could query it, using "secure password authentication".
% By this I presume he means SASL, is this correct?  (If so,
% then I'll have to reinstall openssl, as the FreeBSD pre-compiled
% "port" is apparently compiled without SASL.)

AFAICT, Active Directory will only show you certain "safe" objects unless
you bind non-anonymously. I can query a local Active Directory and find all
the user objects with something like this:

ldapsearch -D jwm@example.com -w mypassword -h win2k-machine \
    -b cn=Users,dc=example,dc=com objectClass=\*

or (binding as my actual DN):

ldapsearch -D 'CN=John W. Morrissey,CN=Users,DC=example,DC=com' \
    -w mypassword -h win2k-machine -b cn=Users,dc=example,dc=com \
    objectClass=\*

This particular account has Domain Admin rights; a lowly User account might
not get you the same results (or even anything at all). Simple auth works
fine for me, but requiring Kerb auth (likely what he means by "secure
password authentication") may be a site-specific configuration option.

john
-- 
John Morrissey          _o            /\         ----  __o
jwm@horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__