--
On Wed, 2004-01-21 at 05:41, TN wrote:
> My head's spinning from reading & trying ldap docs for authenticating
> users via ldap.
sounds familiar, reminds me of my spinning head some years ago ;-)
> I am using this for LOGIN:
> login_server:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = "${if ldapauth
> {user=\"uid=${quote_ldap_dn:$1},ou=AU,ou=People,dc=example,dc=com\"
> pass=${quote:$2} ldap://localhost/}{yes}{no}}"
> server_set_id = $1
this should work.
> dc=example,dc=com
> |
> +----ou=People,dc=example,dc=com
> |
> |
> +----ou=AU,ou=People,dc=example,dc=com
> |
> |
> +-----uid=tnuro,ou=AU,ou=People,dc=example,dc=com
>
> The attributes set in my user entry is:
> dn: cn=Trevor Nuro,ou=AU,ou=People,dc=example,dc=com
> objectClass: inetOrgPerson
> objectClass: top
> objectClass: organizationalPerson
> cn: Trevor Nuro
> sn: Nuro
> givenName: Trevor
> mail: tnuro@???
> structuralObjectClass: inetOrgPerson
> uid: tnuro
> userPassword:: bGludXg=
this won't work with your exim authenticator, and the entrys DN is
different from the one depicted in your graph above.
> It always fails. In my schema, I have the 'uid' attribute set to my
> login name, and userPassword, which I presume ldapauth checks against -
> is this correct ?
no.
clients authenticate to an ldap server with DN and password. uid is
merely an attribute of your ldap entry. the DN is important, it
identifies a single entry in the ldap directory. the user="" option in
your exim authenticator must match the entry's dn you want to
authenticate.
in your example, the user's DN is
"cn=Trevor Nuro,ou=AU,ou=People,dc=example,dc=com",
whereas your exim authenticator's user option expands to
"uid=tnuro,ou=AU,ou=People,dc=example,dc=com". (if you auth with
"tnuro")
i guess, that there's no entry in your ldap db with the DN
"uid=tnuro,ou=AU,ou=People,dc=example,dc=com", thus authentication
fails.
change your ldap entries DN to
"uid=tnuro,ou=AU,ou=People,dc=example,dc=com" and ldap authentication
should succeed. try to authenticate with one of the ldap utils firts.
> The doc for ldapauth says "The condition is true if the password is not
> empty, and the user name and password are accepted by the LDAP server" -
> how does the ldap server accept/reject "the password" ? How is the
> password expected to be encrypted ?
see above.
btw, ldap traffic is not encrypted by default, so sniffing on port 389
with ethereal gives valuable debugging information.
hth,
tom.
--
Thomas "Duke" Hager {duke,hager}@???
GPG: 1024D/D27F858C http://www.sigsegv.at/gpg/duke.gpg
=================================================================
"Never Underestimate the Power of Stupid People in Large Groups."
--
Content-Description: This is a digitally signed message part
[ signature.asc of type application/pgp-signature deleted ]
--
