Re: [Exim] RE: Exim 4 LDAP SMTP Authentication

Top Page
Delete this message
Reply to this message
Author: Tony Earnshaw
Date:  
To: exim-users
Subject: Re: [Exim] RE: Exim 4 LDAP SMTP Authentication
fre, 2003-02-14 kl. 07:38 skrev Thai Q. Tran:

> Please any information or help would be greatly appreciated. I
> have been trying for days to get SMTP authentication to work with LDAP
> with no success. I haven't found much information or example for
> version 4 of EXIM. I an example and played with it but still with no
> success.


No guarantee :-) Works for me with Exim 4.12 and Openldap 2.1.x (x=12 at
the moment).

- For CRAM-MD5 passwords have to be in cleartext. for PLAIN they are
sent by the MUA as base64
- ALL network traffic SHOULD always be encrypted via SSL or TLS.
- exim:mail is a privileged system user:group. As far as the LDAP DIT is
concerned, exim is highly privileged on a par with the LDAP proxy user
and has read rights to the whole DIT, obviously including the
userPassword attribute.
- No separate routers or transports are necessary.

Be aware that the mail line breaks on this list may not be honored
(though this mail should be plain text by rights, line breaks at 76
chars), and that you may have to work out for yourself where newlines
occur.

- In main body of exim's configure file.

acl_smtp_auth = acl_check_auth

- In ACLs:

########################################################################
#                 What about the AUTH possibilities?                   #
########################################################################


acl_check_auth:
    accept encrypted     = *
    accept condition     = ${if eq
{${substr_0_5:$smtp_command_argument}}{PLAIN}{yes}{no}}
    accept condition     = ${if eq
{${substr_0_8:$smtp_command_argument}}{CRAM-MD5}{yes}{no}}
    deny   message       = TLS encryption, and/or either AUTH PLAIN, or
CRAM-MD5 required



######################################################################
#                        AUTH ACL initialization                     #
######################################################################


auth_advertise_hosts = localhost

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


begin authenticators

fixed_plain:
  driver              = plaintext
  public_name         = PLAIN
  server_condition    = ${if ldapauth \
    {user="cn=${quote_ldap:$2},ou=people,ou=groups,dc=example,dc=com" \
    pass="$3" \
    ldaps://localhost/\
    }\
    {yes}{no}\
    }
    server_set_id = cn=$2
    server_prompts = :


cram:
    driver             = cram_md5
    public_name        = CRAM-MD5
    server_debug_print = yes
    server_secret = ${lookup ldapm \
      {user="cn=exim,ou=services,ou=groups,dc=example,dc=com"
pass=eximpassword \


ldaps://localhost/dc=example,dc=com?userPassword?sub?(uid=${quote_ldap:$1})\
      }\
      {$value}fail}



--

Tony Earnshaw

When you rob a person of his illusions,
you are robbing him of his happiness


e-post:        tonni@???
www:        http://www.billy.demon.nl