Re: [exim] (OT?) Authentication against Active Directory

Startseite
Nachricht löschen
Nachricht beantworten
Autor: J.R.Haynes
Datum:  
To: ROGERS Richard
CC: exim-users@exim.org
Betreff: Re: [exim] (OT?) Authentication against Active Directory
On Wed, 28 Oct 2009 at 16:35 -0000, ROGERS Richard wrote

> I would appreciate any pointers as to the best way to go about this -
> I'm sure someone has gone down this road before me! The system will run
> on a Redhat (or possibly Fedora) box.
>


We use ldapauth for this and it works fine (also running Exim on Redhat).
It is a useful shortcut as you don't have to worry about searching the
correct ldap hierarchy in the AD as it doesn't look anything up, just
tries to bind as the user. However if you need restrictions on which of
your users can send email you probably need to use an alternative. You
will also need some sort of lookup if you want to force the sender address
to match that associated with the username used - we haven't had problems
with this so far.

> I have been looking around for pointers (I'm
> no expert with PAM or SASL) but not found a "recipe".
>


Our config entry is below.

The complexity in our case is to allow for users authenticating with or
without the domain name in their username and also with the mailbox name
on the end - the latter is there because we use Exchange and for Exchange
2003 the IMAP username was "domain/username/alias" (where alias is the
local part of their email address) and we wanted to cope with users who
just checked the 'use same credentials for outgoing as incoming' option
on their client as well as those who supplied just the username. Hence the
complicated substitution inside the condition below.

Now we are using Exchange 2007 the above doesn't apply but the code is
still there.

I would have thought you probably still needed something to cope with the
choice between authenticating as username and domain\username. From my
experiments the requirement for what is passed to AD by LDAP is
username@FQDN but I don't know if this varies according to how the AD is
setup. Interestingly I have just realised that the below does not allow
that form as the provided username! Noone has tried it and complained yet,
presumably because people are told to authenticate to webmail as
DOMAIN\username and by extension use that on mail clients. I seem to
recall that when this was originally written the @ format wasn't an option
but I don't really remember.


While this is production code it has not been hugely stress tested as the
'official' methods of accessing email here are by webmail or Outlook in
Exchange mode so this is merely provided for people who choose to set up
their own clients.


The below config is slightly redacted in that I have changed our real AD
domain name. Email will probably line wrap the substitution expression as
well.


The following appears in the main config section

ldap_default_servers = SERVERX.ADDOMAIN.cranfield.ac.uk::636:\
                        SERVERY.ADDOMAIN.cranfield.ac.uk::636:\
                        etc..


and then the authenticators section looks like

begin authenticators

# Use LDAP against Active Directory
# username needs to be user@???
#
# Expression inside user section of ldapauth is JRH config
# for username with/without additional info
# This is designed to cope with usernames of the form
# DOMAIN/user/mailbox
# DOMAIN/user
# user/mailbox (unlikely to be provided but substitition code works
# anyway)
# user
# All / can also be \ and DOMAIN is case insensitive


# Use TLS encrypted ldap

# Plain authenticator

ldap_plain:
    driver = plaintext
    public_name = PLAIN
    server_condition = ${if ldapauth \
      {user="${quote_ldap:\


${sg{${sg{$2}{\N(?i)DOMAIN(/|\\)(.*)\N}{\N$2\N}}}{\N(.*)(/|\\)(.*)\N}{\N$1\N}}@???}" 
\
      pass="$3" \
      ldaps:///\
      }\
      {yes}{no}\
    }
    server_set_id = $2
    server_prompts = :



The login authenticator is the same with appropriate adjustment to
parameters ($2->$1 and $3->$2) and a change to the server_prompts line.

Jonathan


--
------------------------------------------------------------------------------

                              J. R. Haynes
                         Senior Network Specialist


      IT Department,                  e-mail: J.Haynes@???
      Bld 63,
      Cranfield University,           Tel: Bedford (01234) 754205
      Wharley End,                         Bedford (01234) 750111 Extn 4205
      Cranfield,                      Fax: Bedford (01234) 751814
      Beds.,
      MK43 0AL.