[Exim] Re: Using nis/ldap in a reliable fashion (i.e. withou…

Top Page
Delete this message
Reply to this message
Author: Miquel van Smoorenburg
Date:  
To: exim-users
Subject: [Exim] Re: Using nis/ldap in a reliable fashion (i.e. without losing mail)
In article <20020917214149.GA15227@???>,
Marc MERLIN <marc_news@???> wrote:
>On Tue, Sep 17, 2002 at 09:42:13PM +0200, Nico Erfurth wrote:
>> Exim has nis-support built in (if you enable it).
>
>Ok, so do you have to rewrite
>
>localuser:
> driver = accept
> check_local_user
> transport = local_delivery
>
>and replace check_local_user with a condition string that does an explicit
>NIS lookup?


Yes, but the only way to do this reliably is to add a new directive
that makes it possible to define what a "local user" means to
check_local_user.

check_local_user fills in user, uid, gid, home, and gecos. So
you need something like

local_user = user=user1 uid=1000 gid=10 home=/home/user1

.. and then check_local_user would use those values instead of
the ones obtained from (getpwnam($local_part)).

Then in your case you'd use:

NISLOOKUP = ${lookup {$local_part} nis {passwd.byname} \
        { user = ${extract{1}{:}{$value}} \
          uid  = ${extract{3}{:}{$value}}
          gid  = ${extract{4}{:}{$value}} \
          home = ${extract{6}{:}{$value}} \
        } \
        {} \
         }


localuser:
driver = accept
check_local_user
local_user = NISLOOKUP
transport = local_delivery

An empty string as a result of the expansion of this
value would mean "no match" (user not found), a fail would
cause the message to get queued / frozen.

You could even scan the password file too if you can't find
the user in NIS - trivial config addition. Voila, nsswitch.conf
functionality in exim.conf ;)

Now you need someone to write up this code and submit it to
Philip, or perhaps you can talk Philip into implementing this ;)

It would be very useful for sure, since you would be able
to use what looks like a standard configuration, including
the expansion of $home (which you can't set in any other
way right now), yet lose the association with the
standard Unix password file / users.

It _is_ possible to do it without all this, by doing a NIS lookup
in a router and putting it in address_data (exim4) and looking
it up in every subsequent router using $address_data (or by
setting address_data in every router), but it just doesn't look
as nice, it's conceptually very different, and you can't use
address_data for something else easily.

Mike.