Re: [exim] Exim LDAP authenticatior

Top Page
Delete this message
Reply to this message
Author: Thomas Hager
Date:  
To: exim-users
Subject: Re: [exim] Exim LDAP authenticatior
On Sat, 2005-05-21 at 22:14 +0200, Arne Tiedemann wrote:
> Hello all,

hey!

[...]

> Users are in the following OU's
>
>     ou=domain,ou=de,dc=root 
>     ou=domain,ou=net,dc=root 
>     ou=domain,ou=com,dc=root 
>     ou=domain,ou=org,dc=root 

>
> and so on.
>
> When i send an Email i see in the logfile:
>
> 947 SMTP<< AUTH LOGIN
> 947 host in smtp_accept_max_nonmail_hosts? yes (matched "*")
> 947 SMTP>> 334 VXNlcm5hbWU6
> 947 SMTP>> 334 UGFzc3dvcmQ6
> 947 search_open: ldap "NULL"
> 947 cached open
> 947 search_find: file="NULL"
> 947 key="user="uid=userid,dc=root" pass=password ldap:///dc=root?uid?sub?(uid=userid) " partial=-1 affix=NULL starflags=0
> 947 LRU list:
> 947 internal_search_find: file="NULL"
> 947 type=ldap key="user="uid=userid,dc=root" pass=password ldap:///dc=root?uid?sub?(uid=userid) "
> 947 database lookup required for user="uid=userid,dc=root" pass=password ldap:///dc=root?uid?sub?(uid=userid)
> 947 LDAP parameters: user=uid=userid,dc=root pass=password size=0 time=0 connect=0 dereference=0
> 947 perform_ldap_search: ldap URL ="ldap:///dc=root?uid?sub?(uid=userid) " server=127.0.0.1 port=0 sizelimit=0 timelimit=0 tcplimit=0
> 947 after ldap_url_parse: host=127.0.0.1 port=0
> 947 re-using cached connection to LDAP server 127.0.0.1:389
> 947 binding with user=uid=userid,dc=root password=password
> 947 failed to bind the LDAP connection to server 127.0.0.1:389 - LDAP error 49: Invalid credentials
> 947 lookup deferred: failed to bind the LDAP connection to server 127.0.0.1:389 - LDAP error 49: Invalid credentials
> >>>>>>>>>>>>>>>>>>>>> end >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


this can't work. as you said, your users are located below
"ou=domain,ou=de,dc=root", etc, but you create the userid used for ldap
auth with "uid=${extract{1}{@}{$1}},dc=root". exim complains about that
in your logs, saying that "user=uid=userid,dc=root" cant' auth.

> Should I configure for each OU an seperat authenticator? I think not.

of course not :)

> How can I configure the authenticators to query a user in some OU?

well, i recommend using saslauthd for this purpose. you need to install
cyrus-sasl 2.x.x with LDAP support compiled into saslauthd.

basically, saslauthd does exactly what you want. it queries the LDAP
directory for a given username and retrieves it's DN. it then binds with
the returned DN and the given password. if everything works out ok,
saslauthd signals that the user is authenticated.

maybe you got to rebuild exim with the option

CYRUS_SASLAUTHD_SOCKET=/path/to/saslauthds/unix/socket

set in your Local/Makefile to include SASL support.

hth,
tom.

-- 
Thomas "Duke" Hager                       {duke,hager}@???
GPG: 1024D/D27F858C            http://www.sigsegv.at/gpg/duke.gpg
=================================================================
"Never Underestimate the Power of Stupid People in Large Groups."