Re: [Exim] Exim and LDAP Authentication

Top Page
Delete this message
Reply to this message
Author: Tony Earnshaw
Date:  
To: exim-users
Subject: Re: [Exim] Exim and LDAP Authentication
tir, 30.12.2003 kl. 10.17 skrev Tim Tassonis:

> Example:
>
> There would be an LDAP entry like this:
>
> dn: uid=timtas,dc=dplanet,dc=ch
> uid: timtas
> userPassword: manager
> mail: timtas@???
>
> So, in the authentication phase, Exim would try to bind to the LDAP server
> by:
> - Looking up the dn based on the sumitted userid, timtas
> - Bind with the dn and the submitted password.
>
> When the client sends the MAIL FROM: header, Exim would already know the
> authenticated userid and would then lookup the entry using the filter
> (&(uid=$AUTHENTICATED_USERID)(mail=$ADDRESS_IN_MAIL_FROM_HEADER))
>
> Can this be done?


I'd be more than interested in this too. I'm doing this - under Openldap
2.1.25 - with the Postfix November snapshot at the moment (after around
7 months of concentrated Postfix 2.0.x, I can do more or less what I
want with it - and had planned on going back to Exim 4 this spring. I
simply can't do both at once - they demand two completely different
mindsets). My relay policy *demands* that what you want be possible.

I put this to Kirill Miazine privately over Christmas:

* Tony Earnshaw [2003-12-26 15:43]:
> On the other hand, I don't trust my users further than I can spit.
> I've
> seen them spamming, logging in under one name, then doing 'MAIL FROM:
> somebody-else@???'. With Postfix I can prohibit this. If they
> do an EHLO, STARTTLS, EHLO, AUTH WHATEVER and that is accepted, then
> from
> then on they can't do 'MAIL FROM:' under any other name than that with
> which they have logged in, unless I've given then express permission.


and he came up with the following hint from spec.txt:

$authenticated_id: When a server successfully authenticates a client it
may be
configured to preserve some of the authentication information in the
variable $authenticated_id (see chapter 32). For example, a user/password
authenticator configuration might preserve the user name for use in the
routers. When a message is submitted locally (that is, not over a TCP
connection), the value of $authenticated_id is the login name of the calling
process.

They should be able to mail under a group name, though - say uid=tonye should
be able to mail under support@???, if he's a member of the posixGroup
support.

Anybody want to take it from there? After months of not using Exim 4,
I've more or less forgotten everything and need concentrated practice :(

--Tonni

--
mail: billy - at - billy.demon.nl
http://billy.demon.nl