[Exim] LDAP feature request

Top Page
Delete this message
Reply to this message
Author: Brian Candler
Date:  
To: exim-users
Subject: [Exim] LDAP feature request
I have a small feature request for LDAP. I've not implemented it myself
since there are some alternatives and people may have some ideas how it
should look.

The problem is that 'ldap' does a search and returns the attributes;
'ldapdn' does a search and returns the DN; but you can't get both at the
same time (unless you do two separate searches)

What I want to do for AUTHenticating users is:

1. search on ($2). Search results are DN and an attribute (e.g. authSrv)
2. run ldapauth using the DN found in step 1 and password ($3)
3. construct a server_set_id as $authSrv:$2. This is then used in later ACLs
to decide which services the user is allowed to use (ATRN, relaying etc)

With the current system, I have to either:
- do two LDAP searches plus an LDAP auth, or
- hardcode the username-to-DN mapping in step 2, which is bad form.

One possibility might be to allow a pseudo-attribute "dn" in LDAP searches:
     ldap:///basedn?dn,otherattr?sub?(filter)
                    ^^^^^^^^^^^^
which would return "dn=xxx" as part of the result. That syntax could also
superceded 'ldapdn' by just specifying dn by itself.


Anyone else have any other suggestions?

Regards,

Brian.