On 2008-10-02 at 10:53 +0300, Matiss wrote:
> My question is - can exim do multiple user authentication lookups?
> What I mean, is that I have Active Directory deployment in my company,
> and it holds users for main domain. But also, I need to host some
> smaller domains for other sub-companies, and I don't want to add
> usernames/passwords to our AD for them.
>
> So, those I would like to lookup in mysql.
>
> Is it possible to make exim to: 1) if domain name is maindomain.com,
> look up user in LDAP
> 2) if domain name is everything else, look it up in mysql.
>
> or I would be perfectly fine configuring that on per-domain basis.
So this isn't multiple lookups per connection, but dispatching the
lookup based upon the domain of the userid. Much easier.
Yes, Exim can do this (easily), for cases where you take a
usercode/password from the client; it'd be ... difficult within Exim
itself with something like GSSAPI for direct AD-integrated automatic
authentication.
In the plaintext authentication drivers for PLAIN and LOGIN, successful
authentication is determined by the server_condition option returning a
true value. Exim has a powerful string expansion language with
conditional logic and data manipulation operators which will let you use
${if CONDITION {RULES_A}{RULES_B}} for the server_condition.
server_condition = ${if eqi{${domain:$auth2}}{maindomain.com}\
{LDAP_CONDITION_HERE}\
{MYSQL_CONDITION_HERE}}
In The Exim Specification (spec.txt, or online at
www.exim.org), you
want to pay attention to chapters:
33. SMTP authentication
34. The plaintext authenticator
11. String expansions
9. File and database lookups
That will also show you how you can replace the simple case-insensitive
equality condition eqi{${domain:$auth2}}{maindomain.com} with something
that looks up ${domain:$auth2} in something like an external file to
extract the specific domains from the config, if you so choose.
Chapter 9 will explain database/directory lookups to help you write the
LDAP/MySQL checks.
Regards,
-Phil
