Re: [exim] (OT?) Authentication against Active Directory

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Phil Pennock
日付:  
To: ROGERS Richard
CC: exim-users
題目: Re: [exim] (OT?) Authentication against Active Directory
On 2009-10-28 at 16:35 -0000, ROGERS Richard wrote:
> I want to set up a submission service, and rather than have a separate
> username/password store, it would seem neater to have Exim authenticate
> against Active Directory. I have been looking around for pointers (I'm
> no expert with PAM or SASL) but not found a "recipe".
>
> I would appreciate any pointers as to the best way to go about this -
> I'm sure someone has gone down this road before me! The system will run
> on a Redhat (or possibly Fedora) box.


Various options need to have been compiled into Exim to make some of the
below work; LDAP, or Cyrus SASL support, or something else.

Note that to a large extent, Active Directory is just LDAP + Kerberos.
Not entirely just those, but solutions which rely on just LDAP or
Kerberos should work.

Do the clients support GSSAPI so that they can use Kerberos tickets to
authenticate? That would give total AD integration. I don't use AD
myself, but you would want something similar to what I use:

----------------------------8< cut here >8------------------------------
auth_gssapi:
  driver        = cyrus_sasl
  server_hostname = smtp.example.com
  server_realm  = EXAMPLE.COM
  server_mech   = gssapi
  public_name   = GSSAPI
  server_set_id = $auth1
  server_advertise_condition = ${if \
    forany{463:587}{=={$received_port}{$item}}\
    {yes}{no}}
----------------------------8< cut here >8------------------------------


To use this, you'd need to get a server principal created and a copy of
the server key into a file on the Exim host; this requires AD knowledge
that I don't have. I used ktutil, from Heimdal, in my non-AD setup);
then I arrange to make sure that the Exim daemon is started with:

KRB5_KTNAME=/etc/foo/bar/exim.keytab
export KRB5_KTNAME

(In my case, FreeBSD, I just put those into /etc/rc.conf.d/exim).

If not GSSAPI, then you're restricted to those mechanisms which accept a
password from the user (so CRAM-MD5 is out). You can use the "ldapauth"
expansion string condition. There's a canned example of this in:
34.4 The LOGIN authentication mechanism
which covers a LOGIN set-up; you can use the same, with some minor
modifications, for PLAIN (note that the position of the parameters
varies between PLAIN/LOGIN, so there's some fix-up needed). You might
also want to look at the documentation for ldapauth, in:
11.7 Expansion conditions

Looking at the example in 34.4, I'd also add:
server_advertise_condition = ${if def:tls_cipher}
which is a recommended option in the default Exim configs, in the
commented-out examples of PLAIN and LOGIN authenticators.

Regards,
-Phil