Re: [Exim] Recipient checking: LDAP

Top Page
Delete this message
Reply to this message
Author: Sheldon Hearn
Date:  
To: Tony Earnshaw
CC: exim-users
Subject: Re: [Exim] Recipient checking: LDAP
On (2003/10/15 10:42), Tony Earnshaw wrote:

> >The closest thing I've found is the qmail-ldap schema
> >(http://www.nrg4u.com/qmail/QLDAPINSTALL).
>
> The Courier IMAP schema does more or less the same. But you don't need
> it for what you want, to begin with.


Thanks for the demystification of LDAP schemas.

Once you have your head wrapped around the idea that entries in the
directory can inherit MAY and MUST attribute lists from multiple
objectClass definitions, it's pretty much plain sailing. :-)

So I'm using a modified version of courier-imap's authldap.schema.
I removed uidNumber and gidNumber from the MUST list for the
CourierMailAccount objectClass, because pop3d and imapd will always
use mailnull:mail to access mailboxes. I have imapd and pop3d
authenticating against OpenLDAP and fetching mailbox location and stuff
from the directory.

Now, SMTP AUTH authentication in Exim. The following works nicely for
me:

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = \
    ${if \
      ldapauth { \
        user="cn=${quote_ldap:$1},ou=people,dc=clue,dc=bz" \
        pass="${quote_ldap:$2}" \
        ldap:/// \
      } \
      {yes} {no} \
    }
  server_set_id = $1


I'm abusing cn (Common Name), I know. I'll eventually use two lookups,
one binding as cn=Manager with known password to get the right dn from
mail, then another using that dn.

Testing it was a problem. Took me 45 minutes to realize I was sending
the username and password base64-encoded with newlines included. I was
generating them with

    echo sheldonh@??? | base64
    echo secret | base64


instead of

    echo -n sheldonh@??? | base64
    echo -n secret | base64


I really, REALLY like Exim. The clue was in this error message:

535 Incorrect authentication data
LOG: MAIN REJECT
login authenticator failed for axl.seasidesoftware.co.za (axl) [10.0.0.2]: 535 Incorrect authentication data (set_id=sheldonh@???
)

The fact that the closing paren was on a new line was the eventual
giveaway.

So now I just need to get my head around SPA so that Outlook users can
also use SMTP AUTH. I plan to replace my pop-before-smtp implementation
with authenticated relay only.

Anyone got a clean way to test SPA without an Outlook client?

Thanks,
Sheldon.