On Wed, 2007-09-26 at 18:48 +0100, T. Horsnell wrote:
> We're trying to switch to using NIS tables
> during SMTP authentication, but cant get
> anything to work. We dont really understand
> how one is supposed to use the nis lookup
Neither do I :)
You could do worse, however, than allow your OS to do the legwork for
you via PAM:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html#SECTexpcond
You'll have to follow the instructions therein regarding the patched
pam_exim module, but I find that's the handiest method available since
it abstracts the authentication back to the OS. The OS then "stacks" the
available methods and calls them appropriately.
However:
> We currently have things like:
>
> fixed_plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_condition = ${if crypteq{$3}\
> {${extract{1}{:}{${lookup{$2}lsearch{/etc/shadow}{$value}}}}\
> }{yes}{no}}
This implies, rather uncomfortably, that you're running Exim as root (or
you've mangled the permissions on /etc/shadow). That's a big risk - one
you may be able to manage, but a risk nonetheless. Hence my comments
about PAM, since all that nastiness is abstracted back where it needs to
be.
> and would like to replace the search of /etc/shadow
> with a nis{passwd} thing. What is the syntax?
>
> {${extract{1}{:}{${lookup{$2}lsearch{nis{passwd}}{$value}}}}\
>
> doesnt work, and neither does
>
> {${extract{1}{:}{${lookup{$2}{nis{passwd}}{$value}}}}\
>
> How do we extract a line from nis's passwd tables using a
> userid as a keyword?
I believe you'd do it like this:
${lookup{$2}nis{passwd}}
But I'm probably wrong. What do you get if you "ypcat passwd"?
Graeme
