For future reference below is my quick fix. Clearly exim has trouble with
ldaps lookup on AD while it doesn't have trouble with ldapauth on ldaps
so....
I call a perl script to convert the username (jsmith) to AD type username
(John Smith) and insert that in the ldapauth.
Thanks to all for your comments and suggestions!
Lou
--exim4.conf.template
#main/50_exim4-localconfig_perl
perl_at_start = true
perl_startup = do '/etc/exim4/exim.pl'
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if ldapauth \
{user=${quote:cn=${perl{get_cn_from_name}
{$1}},cn=Users,dc=ercbroadband,dc=local} \
pass=${quote:$2} \
ldaps://chapman.ercbroadband.org/}{yes}{no}}
server_set_id = $1
--exim.pl
#! /usr/bin/perl
use strict;
sub get_cn_from_name {
my $uid = shift;
my $cmd;
my $rtn;
$cmd = 'ldapsearch -v -x -w ldaplookup'.
' -D "cn=ldaplookup,cn=Users,dc=ercbroadband,dc=local"'.
' -b "dc=ercbroadband,dc=local" '.
'-H "ldaps://chapman.ercbroadband.org" '.
'"(sAMAccountName=' . $uid.')"'.
' "cn" 2>&1'.
'| grep "^cn"' ;
$rtn = `$cmd`;
chomp($rtn = (split(/:/,$rtn))[1]);
return $rtn;
}
On Monday 24 July 2006 15:53, Lou Vasquez wrote:
> We're actually planning on moving our "real" users over to openldap long
> range, that's actually how we had it to begin with, this AD stuff was an
> office related idea that I'm pushing away from.
>
> I'm actually happy with the perl hack as it doesn't require much setup,
> but that's a good idea. I hadn't thought about that, but it might be a
> good way of allowing certain users access via their "virtual" AD
> existence.
>
> Lou
>
> On Mon, Jul 24, 2006 at 03:33:22PM -0400, Lou Vasquez wrote:
> > Oddly enough that worked. I'd rather not leave ldap(-s) open but that
> > at least points to the problem. I remove the s and it comes back, I
>
> put
>
> > the s in and it hangs after getting the cn. Whats really strange is
> > that ldapauth works fine with ldaps (but I have to use cn, not
>
> username
>
> > for the bind) but not with ldap lookup.
>
> How about this for a kludge/work-around:
> Openldap (& maybe other ldap servers) has the ability to retrieve info
> from other ldap servers.
> Why not configure it to speak to another ldap over 'ldaps' (if you can
> do it) and then
> exim can speak to the local ldap (on the same machine) over 'ldap'
> (which is prob reasonably
> secure).
>
> > Until I have time to download code and try patches and look into the
> > code I'll probably go with my perl hack, but I'm still happy to try
> > things with it.
>
> --
> Alain Williams
