Author: Phil Pennock Date: To: exim-users Subject: Re: [exim] Exim4 ldap lookups and SASL-GSSAPI authentication
On 2012-09-18 at 10:32 +0100, Graeme Fowler wrote: > On Tue, 2012-09-18 at 01:00 +0200, felix wrote:
> <snip>
> > Of course, exim4 test works if I delete the ACL. Therefore,
> > and given the successful ldapsearch test, I think that exim4
> > is not using SASL-GSSAPI. It should because it is linked against
> > libldap, which is configured in /etc/ldap/ldap.conf, which
> > make SASL-GSSAPI the default authentication mechanism thanks to
> > a line containing: "SASL_MECH GSSAPI" statement.
>
> The existence of the linking against the libldap library is to allow
> Exim to do LDAP lookups but there is no call to the GSSAPI
> authentication mechanism. Exim can only authenticate to an LDAP server
> using a normal bind (DN and password).
>
> Patches to enable GSSAPI, of course, are welcome :)
In addition to that, if you want something that works _now_, then you
should be able to set up an LDAP mirror on the mail server itself, with
syncrepl with "partial" replication, only able to see the necessary
attributes.
Then you can use ldapi:// to connect to that local LDAP server over a
Unix domain socket, and use peer credentials for authentication. Last I
checked, that was sasl-regexp rules, but I think it's changed.
I _think_ I've used this with Exim, but I'm not more than 70% sure, so
it might be that some more work is needed to pass EXTERNAL SASL instead
of letting it be inferred.
