Re: [exim] need help with NIS

Top Page
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] need help with NIS
On Wed, 2007-09-26 at 18:48 +0100, T. Horsnell wrote:
> We're trying to switch to using NIS tables
> during SMTP authentication, but cant get
> anything to work. We dont really understand
> how one is supposed to use the nis lookup


Neither do I :)

You could do worse, however, than allow your OS to do the legwork for
you via PAM:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html#SECTexpcond

You'll have to follow the instructions therein regarding the patched
pam_exim module, but I find that's the handiest method available since
it abstracts the authentication back to the OS. The OS then "stacks" the
available methods and calls them appropriately.

However:

> We currently have things like:
>
> fixed_plain:
>   driver = plaintext
>   public_name = PLAIN
>   server_prompts = :
>   server_condition = ${if crypteq{$3}\
>     {${extract{1}{:}{${lookup{$2}lsearch{/etc/shadow}{$value}}}}\
>     }{yes}{no}}


This implies, rather uncomfortably, that you're running Exim as root (or
you've mangled the permissions on /etc/shadow). That's a big risk - one
you may be able to manage, but a risk nonetheless. Hence my comments
about PAM, since all that nastiness is abstracted back where it needs to
be.

> and would like to replace the search of /etc/shadow
> with a nis{passwd} thing. What is the syntax?
>
>    {${extract{1}{:}{${lookup{$2}lsearch{nis{passwd}}{$value}}}}\

>
> doesnt work, and neither does
>
>    {${extract{1}{:}{${lookup{$2}{nis{passwd}}{$value}}}}\

>
> How do we extract a line from nis's passwd tables using a
> userid as a keyword?


I believe you'd do it like this:

${lookup{$2}nis{passwd}}

But I'm probably wrong. What do you get if you "ypcat passwd"?

Graeme