[exim] ldap_default_servers and ldapauth

Top Page
Delete this message
Reply to this message
Author: Nigel Wade
Date:  
To: exim users
Subject: [exim] ldap_default_servers and ldapauth
I am in the process of configuring a new mail/web server combination. As
part of that process I'm also building in LDAP redundancy by setting up
2-way multi-master replication.

In order to get Exim to use either of the LDAP servers I have set the
option ldap_default_servers to include both servers. This works
perfectly well for {lookup ldap} type string expansions, and will
perform a lookup if either server is online.

However, it isn't working for ldapauth. The log entry appears to show
that no host is being included in the ldapauth URL (the NULL):

2010-02-15 15:16:00 plain_server authenticator failed for
([143.210.44.207]) [143.210.44.207]: 435 Unable to authenticate at
present (set_id=nmw): failed to bind the LDAP connection to server
NULL:636 - ldap_bind() returned -1

and using tcpdump I can see that it's trying to bind to localhost.


This is the LDAP configuration:

LDAPS = ldaps:///
ldap_default_servers = ldap-mail::636:ldap-www::636

and the authenticator:

plain_server:
    driver = plaintext
    public_name = PLAIN
    server_condition = ${if ldapauth \
        {user="uid=${quote_ldap_dn:$2},SPPG_ACCOUNT_BASE" \
        pass=${quote:$3} \
        LDAPS}{yes}{no}}
    server_set_id = $2
    server_prompts = :
    server_advertise_condition = ${if def:tls_cipher }




A typical LDAP lookup which works is:

  data = ${lookup ldap { \
                user=LDAPU \
                pass=LDAPP \
                LDAPS/LDAP_BASE?\
mailRoutingAddress?sub?(&(objectClass=rsppgAccount)(uid=${quote_ldap:$local_part}))}
\
                {$value} fail}



If I revert the LDAP setup to not using ldap_default_servers then it works:

LDAPS = ldaps://ldap-mail


Does anyone know if ldap_default_servers is supposed to work with
ldapauth? If it is, an idea what I am doing wrong in ldapauth?

The setup is Exim 4.69 running on 64bit OpenSUSE 11.2 (actually it's a
virtual guest running inside a Xen host which is also running 64bit
OpenSUSE). The LDAP servers are also guests in Xen hosts, ldap-mail is
running in the same host as the mail server, and ldap-www is running in
the same host as the web server. Both the LDAP servers have entries in
/etc/hosts (not in DNS in the test environment). All other LDAP
operations work fine (PAM/LDAP, ssh, imap authentication etc).

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555