Hi
I'm trying to configure an authenticator in such a way that a certain
range is excluded. The documentation suggests using auth_advertise_hosts
to exclude ranges from authentication, but the problem is that with
Outlook it fails immediately when authentication is configured but not
advertised by the server.
Of course, trying to change the server is easier than expecting
Microsoft to fix their mail client... so I'd like to therefore use
another tactic, that is to authenticate the lan IP addresses no matter
what credentials they provide.
My problem is that I don't know how to combine a lookup with an if/or
syntax in server_condition as this appears to be poorly documented.
I'm using 'lookup ldap' because this is the only sane way to allow
multiple DN's to authenticate, but when I combine 'lookup' with an 'or'
the following results
2009-01-13 13:53:43 login authenticator failed for ([172.31.0.213])
[172.31.0.213]: 435 Unable to authenticate at present (set_id=nobody):
unknown condition "lookup" inside "or{...}" condition
The authenticator I conjured up looks as follows.
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_advertise_condition = yes
server_condition = ${if or {{ \
lookup ldap{ \
user="${lookup ldapdn \
{user="cn=Manager,o=FOO" pass=mypass
ldap:///?dn?sub?(&(accountStatus=active)(mail=${quote_ldap:$1}))} \
}" \
pass="$2" \
ldap:///?mail?sub?(&(accountStatus=active)(mail=${quote_ldap:$1})) \
}{yes}fail \
} \
{ \
match_ip{$sender_host_address}{172.31.0.0/24} \
}} \
}
server_set_id = $2
What is not obvious are the following things
- What does "{yes}fail" do differently than "{yes}{no}"? Which should I
be using in this context?
- How can I simply combine lookups with other criteria in a server
condition as above?
- What is actually allowed in a server_condition in terms of matching
conditions?
Regards,
--
Colin Alston <colin@???>