[exim-dev] [Bug 2948] New: Get rid of LDAP_DEPRECATED in cas…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2948] New: Get rid of LDAP_DEPRECATED in case of OpenLDAP, and prepare for usage of ldap_bind_sasl for more mechanisms
https://bugs.exim.org/show_bug.cgi?id=2948

            Bug ID: 2948
           Summary: Get rid of LDAP_DEPRECATED in case of OpenLDAP, and
                    prepare for usage of ldap_bind_sasl for more
                    mechanisms
           Product: Exim
           Version: N/A
          Hardware: All
                OS: All
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Lookups
          Assignee: unallocated@???
          Reporter: gergely.risko@???
                CC: exim-dev@???


Created attachment 1434
--> https://bugs.exim.org/attachment.cgi?id=1434&action=edit
proposed patch

I have a local server, where OpenLDAP and Exim4 is hosted in the same Linux
environment, they can connect to each other using domain sockets (ldapi://).

In this case, there is a very nice solution to LDAP security, the so called
EXTERNAL mechanism: the OpenLDAP server simply asks the kernel who is on the
other side of the LDAP connection, and the kernel will reply with the UID of
the exim user. Then in the LDAP access control one can set up this UID and
limit it to access only the part of the LDAP tree that is needed for exim's
operation.

Unfortunately, Exim doesn't support this mechanism, only the simple password
based bind, and this already came up on the mailing list once 10 years ago:
https://exim-users.exim.narkive.com/C580UKQe/exim4-ldap-lookups-and-sasl-gssapi-authentication#post3

I plan to implement this, and the implementation is quite simple, we just have
to pass "EXTERNAL" to ldap_sasl_bind, instead of LDAP_SASL_SIMPLE, when the
user requests to use this feature in the config file. (Maybe we should even
make it the default with ldapi if no username/password is specified.)

But unfortunately, exim is still using the deprecated ldap_bind interface, not
the ldap_sasl_bind interface.

So in this first bug report and patch, I tackle this issue, and I get rid of
LDAP_DEPRECATED and convert the bind call to ldap_sasl_bind.

After this is merged, the second patch will add support for EXTERNAL, and then
we can discuss what should the default be.

Please review the attached patch, and I'm happy to accomodate according to your
feedback.

One question: I didn't manage to run any of the LDAP tests, because the test
9000+9001 requires extra data, but there is no documentation on how to prepare
or download this extra data, can you please explain? And by the way, should we
really continue to support these weird LDAP systems, like OpenLDAP v1
(deprecated on August 2000), Solaris and Netscape (not free software, can't
download)?

--
You are receiving this mail because:
You are on the CC list for the bug.