Re: [exim] Exim hangs on ldap search

Top Page
Delete this message
Reply to this message
Author: Lou Vasquez
Date:  
To: exim-users
Subject: Re: [exim] Exim hangs on ldap search
For future reference below is my quick fix. Clearly exim has trouble with
ldaps lookup on AD while it doesn't have trouble with ldapauth on ldaps
so....

I call a perl script to convert the username (jsmith) to AD type username
(John Smith) and insert that in the ldapauth.

Thanks to all for your comments and suggestions!

Lou

--exim4.conf.template

#main/50_exim4-localconfig_perl
perl_at_start = true
perl_startup = do '/etc/exim4/exim.pl'

login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = ${if ldapauth \
        {user=${quote:cn=${perl{get_cn_from_name}
{$1}},cn=Users,dc=ercbroadband,dc=local} \
        pass=${quote:$2} \
        ldaps://chapman.ercbroadband.org/}{yes}{no}}
    server_set_id = $1



--exim.pl

#! /usr/bin/perl
use strict;
sub get_cn_from_name {
        my $uid = shift;
        my $cmd;
        my $rtn;
        $cmd = 'ldapsearch -v -x -w ldaplookup'.
          ' -D "cn=ldaplookup,cn=Users,dc=ercbroadband,dc=local"'.
          ' -b "dc=ercbroadband,dc=local" '.
          '-H "ldaps://chapman.ercbroadband.org" '.
          '"(sAMAccountName=' . $uid.')"'.
          ' "cn" 2>&1'.
          '| grep "^cn"' ;
        $rtn = `$cmd`;
        chomp($rtn = (split(/:/,$rtn))[1]);
        return $rtn;
}





On Monday 24 July 2006 15:53, Lou Vasquez wrote:
> We're actually planning on moving our "real" users over to openldap long
> range, that's actually how we had it to begin with, this AD stuff was an
> office related idea that I'm pushing away from.
>
> I'm actually happy with the perl hack as it doesn't require much setup,
> but that's a good idea. I hadn't thought about that, but it might be a
> good way of allowing certain users access via their "virtual" AD
> existence.
>
> Lou
>


> On Mon, Jul 24, 2006 at 03:33:22PM -0400, Lou Vasquez wrote:
> > Oddly enough that worked. I'd rather not leave ldap(-s) open but that
> > at least points to the problem. I remove the s and it comes back, I
>
> put
>
> > the s in and it hangs after getting the cn. Whats really strange is
> > that ldapauth works fine with ldaps (but I have to use cn, not
>
> username
>
> > for the bind) but not with ldap lookup.
>
> How about this for a kludge/work-around:
> Openldap (& maybe other ldap servers) has the ability to retrieve info
> from other ldap servers.
> Why not configure it to speak to another ldap over 'ldaps' (if you can
> do it) and then
> exim can speak to the local ldap (on the same machine) over 'ldap'
> (which is prob reasonably
> secure).
>
> > Until I have time to download code and try patches and look into the
> > code I'll probably go with my perl hack, but I'm still happy to try
> > things with it.
>
> --
> Alain Williams