Re: [exim] LDAP lookup and cocanation

Góra strony
Delete this message
Reply to this message
Autor: Nigel Wade
Data:  
Dla: exim-users
Temat: Re: [exim] LDAP lookup and cocanation
Josip Rodin wrote:
> [reposting to list, too]
> On Thu, Nov 30, 2006 at 11:11:11AM +0000, Ben Wheare wrote:
>>> Given that you probably want to also enable access to that mailbox for
>>> Joe Bloggs :) you might wish to extend your thinking to using something like
>>> pam_ldap for authentication and authorization on the mail server, so that
>>> you could simply get the users and their home directories via PAM
>> Thanks for the thought, but its solely for virtual users. What we're
>> trying to build is a Samba PDC and mail server, all for virtual users,
>> that will only have access to that.
>> Only 2/3 people will have access to the server itself, and that'll be
>> via standard /etc/passwd, adduser etc. Yeah, I'm sure we could do it all
>> via LDAP, but we are all learning it as we go along, so trying to keep
>> it simple at first :)
>
> You could still implement them as "real" users, and have their shell set to
> /bin/false so that they can never log in, and only use the services you let
> them use.
>
> Let me rephrase the idea a bit better: if you were using some sort of a
> custom webmail and custom file server, where you'd have to write PAM support
> or write LDAP support, then doing the latter would be okay, because it's
> equally easy/hard to code either of the two. However, if you're already
> using all these standard tools, all of which have PAM support already,
> adding authorization via PAM in one fell swoop sounds like the way to go.
>


pam_ldap supports the host and member attributes, so you can allow/disallow each
user on a host-by-host basis via the directory. That way the same directory can
have valid values for home directory, shell etc. for all users who are allowed
to access any system. You can then control, within the directory, which systems
any user is actually allowed login access for, protecting your servers from
users whilst allowing the admins. to login as themselves.

This can affect the overall design of your LDAP directory which is being
accessed by Exim, so does have some relevance to this list...

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555