I am in the process of configuring a new mail/web server combination. As
part of that process I'm also building in LDAP redundancy by setting up
2-way multi-master replication.
In order to get Exim to use either of the LDAP servers I have set the
option ldap_default_servers to include both servers. This works
perfectly well for {lookup ldap} type string expansions, and will
perform a lookup if either server is online.
However, it isn't working for ldapauth. The log entry appears to show
that no host is being included in the ldapauth URL (the NULL):
2010-02-15 15:16:00 plain_server authenticator failed for
([143.210.44.207]) [143.210.44.207]: 435 Unable to authenticate at
present (set_id=nmw): failed to bind the LDAP connection to server
NULL:636 - ldap_bind() returned -1
and using tcpdump I can see that it's trying to bind to localhost.
This is the LDAP configuration:
LDAPS = ldaps:///
ldap_default_servers = ldap-mail::636:ldap-www::636
and the authenticator:
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if ldapauth \
{user="uid=${quote_ldap_dn:$2},SPPG_ACCOUNT_BASE" \
pass=${quote:$3} \
LDAPS}{yes}{no}}
server_set_id = $2
server_prompts = :
server_advertise_condition = ${if def:tls_cipher }
A typical LDAP lookup which works is:
data = ${lookup ldap { \
user=LDAPU \
pass=LDAPP \
LDAPS/LDAP_BASE?\
mailRoutingAddress?sub?(&(objectClass=rsppgAccount)(uid=${quote_ldap:$local_part}))}
\
{$value} fail}
If I revert the LDAP setup to not using ldap_default_servers then it works:
LDAPS = ldaps://ldap-mail
Does anyone know if ldap_default_servers is supposed to work with
ldapauth? If it is, an idea what I am doing wrong in ldapauth?
The setup is Exim 4.69 running on 64bit OpenSUSE 11.2 (actually it's a
virtual guest running inside a Xen host which is also running 64bit
OpenSUSE). The LDAP servers are also guests in Xen hosts, ldap-mail is
running in the same host as the mail server, and ldap-www is running in
the same host as the web server. Both the LDAP servers have entries in
/etc/hosts (not in DNS in the test environment). All other LDAP
operations work fine (PAM/LDAP, ssh, imap authentication etc).
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@???
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
