Re: [exim] Exim4 ldap lookups and SASL-GSSAPI authentication

Inizio della pagina
Delete this message
Reply to this message
Autore: fac
Data:  
To: exim-users
Oggetto: Re: [exim] Exim4 ldap lookups and SASL-GSSAPI authentication
Mmmm yes, smart.

On Wed, Sep 19, 2012 at 07:11:38AM -0700, Todd Lyons wrote:
> On Tue, Sep 18, 2012 at 5:40 PM, Phil Pennock <exim-users@???> wrote:
> >> > Of course, exim4 test works if I delete the ACL. Therefore,
> >> > and given the successful ldapsearch test, I think that exim4
> >> > is not using SASL-GSSAPI. It should because it is linked against
> >> The existence of the linking against the libldap library is to allow
> >> Exim to do LDAP lookups but there is no call to the GSSAPI
> > In addition to that, if you want something that works _now_, then you
> > should be able to set up an LDAP mirror on the mail server itself, with
> > syncrepl with "partial" replication, only able to see the necessary
> > attributes.
> > Then you can use ldapi:// to connect to that local LDAP server over a
> > Unix domain socket, and use peer credentials for authentication. Last I
> > checked, that was sasl-regexp rules, but I think it's changed.

Actually this fits very well my current deployment (still not in a production
server) where exim4 and slapd are in the same machine. I took a look at
exim4 manual and, yes, ldapi:// is possible:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch09.html

Anyway, in the future exim4 and slapd will not be in the same machine and,
without SASL-GSSAPI, ok it seems that an accompanying slapd is necesary.

I know syncrepl (I am using it between my two slapd instances) but proxy idea
seems even more pertinent.

> Along those same lines, according to the openldap docs, the openldap
> server can be used as a proxy. So you set it up on localhost (or in a
> VM on your smtp vlan, etc) and openldap do the GSSAPI to your
> corporate server, while you do simple binds to your local server.


Ok, so ldapi:// to a local instance which is just a light proxy. I don't
have experience on this, I think it is called LDAP database backend(1)
but maybe more than that is implicated, according to the facts that:
- a change of identity authorization is performed from one communication
to the other.
- for security reasons, it is convinient to reduce proxy usage to just the
<LDAP node> in question.


Thank you guys. I wanted to know if SASL-GSSAPI problem was a misunderstanding
by my side, so I can move to another thing (for now) having things clear at
this point.


Félix


(1) http://www.openldap.org/doc/admin24/backends.html#LDAP