[Exim] LDAP auth question

Top Page
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: [Exim] LDAP auth question
Hello all,

I have a network where most of the users are in LDAP, but some are not -
they are just regular system accounts (mostly either legacy, or admin
accounts - the admin accounts are fallback in case slapd keels over one
day). Both categories of users send and receive mail. I have been
managing auth with /etc/exim4/passwd, but that's getting tiresome, so
I'm migrating to authenticating against LDAP, which is in my opinion
much cleaner anyhow.

I have two issues that I would appreciate help with:
First, if auth against slapd fails, the whole transaction is dumped to
mainlog, including password supplied - this is not a huge problem, as it
is only incorrect authentication information being dumped, and at any
rate mainlog is protected by regular file permissions from prying eyes.
However it is ugly, and I'd rather not see it there.

The second is that currently, I am advertising AUTH PLAIN LOGIN - plain
works for system accounts (only a few people, set up in /etc/exim4/passwd
and managed the tedious way, but it's only a few), and login
authenticates against slapd. Smart MTA's (like my other boxes using exim
:) have no problem trying multiple authentication types until one
succeeds, but I'm wondering if other, stupid software (say, outlook)
will barf when the first auth type fails.

I was hoping that someone
a) had a suggestion about how to keep the extra information out of
mainlog, and

b) had experience with a setup like this, and could give some pointers
about how to make the transition relatively painless for the users.

It's a fairly stock authentication set up, but I'll include it just for
completeness (sorry about the bad line wrap):

ldap_login:
driver = plaintext
public_name= LOGIN
server_prompts = "Username:: : Password::"
server_condition="${lookup ldap{user=uid=$1,ou=People,dc=mail,dc=lobefin,dc=net pass=$2 ldap://localhost/ou=People,dc=mail
,dc=lobefin,dc=net?uid?sub?(uid=$1)}{yes}fail}"
server_set_id=$1

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $2
server_prompts = :

Thanks all, and Happy ${holiday of choice}.
--
--------------------------------------------------------------------------
|  Stephen Gran                  | Some parts of the past must be          |
|  steve@???             | preserved, and some of the future       |
|  http://www.lobefin.net/~steve | prevented at all costs.                 |

--------------------------------------------------------------------------