Re: [Exim] ldapauth schema

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Thomas Hager
Data:  
Para: Exim Users Mailing List
Asunto: Re: [Exim] ldapauth schema
--
On Wed, 2004-01-21 at 05:41, TN wrote:
> My head's spinning from reading & trying ldap docs for authenticating
> users via ldap.

sounds familiar, reminds me of my spinning head some years ago ;-)

> I am using this for LOGIN:
> login_server:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = "${if ldapauth
> {user=\"uid=${quote_ldap_dn:$1},ou=AU,ou=People,dc=example,dc=com\"
> pass=${quote:$2} ldap://localhost/}{yes}{no}}"
> server_set_id = $1

this should work.

> dc=example,dc=com
> |
> +----ou=People,dc=example,dc=com
>         |
>         |
>         +----ou=AU,ou=People,dc=example,dc=com
>              |
>              |
>              +-----uid=tnuro,ou=AU,ou=People,dc=example,dc=com

>
> The attributes set in my user entry is:
> dn: cn=Trevor Nuro,ou=AU,ou=People,dc=example,dc=com
> objectClass: inetOrgPerson
> objectClass: top
> objectClass: organizationalPerson
> cn: Trevor Nuro
> sn: Nuro
> givenName: Trevor
> mail: tnuro@???
> structuralObjectClass: inetOrgPerson
> uid: tnuro
> userPassword:: bGludXg=

this won't work with your exim authenticator, and the entrys DN is
different from the one depicted in your graph above.

> It always fails. In my schema, I have the 'uid' attribute set to my
> login name, and userPassword, which I presume ldapauth checks against -
> is this correct ?

no.
clients authenticate to an ldap server with DN and password. uid is
merely an attribute of your ldap entry. the DN is important, it
identifies a single entry in the ldap directory. the user="" option in
your exim authenticator must match the entry's dn you want to
authenticate.

in your example, the user's DN is
"cn=Trevor Nuro,ou=AU,ou=People,dc=example,dc=com",
whereas your exim authenticator's user option expands to
"uid=tnuro,ou=AU,ou=People,dc=example,dc=com". (if you auth with
"tnuro")

i guess, that there's no entry in your ldap db with the DN
"uid=tnuro,ou=AU,ou=People,dc=example,dc=com", thus authentication
fails.

change your ldap entries DN to
"uid=tnuro,ou=AU,ou=People,dc=example,dc=com" and ldap authentication
should succeed. try to authenticate with one of the ldap utils firts.

> The doc for ldapauth says "The condition is true if the password is not
> empty, and the user name and password are accepted by the LDAP server" -
> how does the ldap server accept/reject "the password" ? How is the
> password expected to be encrypted ?

see above.
btw, ldap traffic is not encrypted by default, so sniffing on port 389
with ethereal gives valuable debugging information.

hth,
tom.

--
Thomas "Duke" Hager                       {duke,hager}@???
GPG: 1024D/D27F858C            http://www.sigsegv.at/gpg/duke.gpg
=================================================================
"Never Underestimate the Power of Stupid People in Large Groups."


--
Content-Description: This is a digitally signed message part

[ signature.asc of type application/pgp-signature deleted ]
--