Exim4 ldap lookups and SASL-GSSAPI authentication

Discussion:

felix

2012-09-17 23:00:35 UTC

Hi,

is it SASL-GSSAPI auth possible for Exim4 ldap lookups?

Thanks in advance.

------------------

P.D. Some background and details:

I recently set up Exim4 to get some variables from an LDAP server.
It works but, since the content of those variables is sensitive,
I have created an LDAP ACL such that only <right_ldap_identity> can
read the <LDAP node> and so the variables in question.

That <right_ldap_identity> is the result of making a successful SASL-GSSAPI
authentication against ldap server by using a certain Kerberos principal,
<right_principal>.

So, during authentication, <right_principal> is mapped to
<right_ldap_identity> which is, finally, allowed to read <LDAP node>
according to our shine and new ACL.

- But manual exim4 ldap lookups tests do not work:

KRB5CCNAME=/tmp/<tickets_for_right_principal> \
su vmail -m \
-c " /usr/sbin/exim4 -be ${lookup ldapm{ <ldap_query> }}' "

... so the ticket cache for <right_principal> (line 1)
can be read by processes under vmail unix user (line 2)
so this way exim4 makes <ldap_query> (line 3)

But does not work.

- Tests using "ldapsearch" tool instead of exim4 are successful:

KRB5CCNAME=/tmp/<tickets_for_right_principal> \
su vmail -m \
-c " ldapsearch -b '<ldap_query>' " <-------

It works.

Of course, exim4 test works if I delete the ACL. Therefore,
and given the successful ldapsearch test, I think that exim4
is not using SASL-GSSAPI. It should because it is linked against
libldap, which is configured in /etc/ldap/ldap.conf, which
make SASL-GSSAPI the default authentication mechanism thanks to
a line containing: "SASL_MECH GSSAPI" statement.

-------------------------
Exim4 4.72
OpenLDAP's slapd 2.4.23
MIT Kerberos 1.8.3
Debian 6
-------------------------

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Graeme Fowler

2012-09-18 09:32:04 UTC

Permalink

Post by felix
is it SASL-GSSAPI auth possible for Exim4 ldap lookups?

No.

<snip>

Post by felix
Of course, exim4 test works if I delete the ACL. Therefore,
and given the successful ldapsearch test, I think that exim4
is not using SASL-GSSAPI. It should because it is linked against
libldap, which is configured in /etc/ldap/ldap.conf, which
make SASL-GSSAPI the default authentication mechanism thanks to
a line containing: "SASL_MECH GSSAPI" statement.

The existence of the linking against the libldap library is to allow
Exim to do LDAP lookups but there is no call to the GSSAPI
authentication mechanism. Exim can only authenticate to an LDAP server
using a normal bind (DN and password).

Patches to enable GSSAPI, of course, are welcome :)

Graeme

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Phil Pennock

2012-09-19 00:40:16 UTC

Permalink

Post by Graeme Fowler
<snip>

The existence of the linking against the libldap library is to allow
Exim to do LDAP lookups but there is no call to the GSSAPI
authentication mechanism. Exim can only authenticate to an LDAP server
using a normal bind (DN and password).
Patches to enable GSSAPI, of course, are welcome :)

In addition to that, if you want something that works _now_, then you
should be able to set up an LDAP mirror on the mail server itself, with
syncrepl with "partial" replication, only able to see the necessary
attributes.

Then you can use ldapi:// to connect to that local LDAP server over a
Unix domain socket, and use peer credentials for authentication. Last I
checked, that was sasl-regexp rules, but I think it's changed.

I _think_ I've used this with Exim, but I'm not more than 70% sure, so
it might be that some more work is needed to pass EXTERNAL SASL instead
of letting it be inferred.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Todd Lyons

2012-09-19 14:11:38 UTC

Permalink

Post by Phil Pennock

Post by Graeme Fowler

The existence of the linking against the libldap library is to allow
Exim to do LDAP lookups but there is no call to the GSSAPI

In addition to that, if you want something that works _now_, then you
should be able to set up an LDAP mirror on the mail server itself, with
syncrepl with "partial" replication, only able to see the necessary
attributes.
Then you can use ldapi:// to connect to that local LDAP server over a
Unix domain socket, and use peer credentials for authentication. Last I
checked, that was sasl-regexp rules, but I think it's changed.

Along those same lines, according to the openldap docs, the openldap
server can be used as a proxy. So you set it up on localhost (or in a
VM on your smtp vlan, etc) and openldap do the GSSAPI to your
corporate server, while you do simple binds to your local server.

...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

fac

2012-09-19 23:12:39 UTC

Permalink

Mmmm yes, smart.

Post by Todd Lyons

Post by Phil Pennock

Post by Graeme Fowler

The existence of the linking against the libldap library is to allow
Exim to do LDAP lookups but there is no call to the GSSAPI

In addition to that, if you want something that works _now_, then you
should be able to set up an LDAP mirror on the mail server itself, with
syncrepl with "partial" replication, only able to see the necessary
attributes.
Then you can use ldapi:// to connect to that local LDAP server over a
Unix domain socket, and use peer credentials for authentication. Last I
checked, that was sasl-regexp rules, but I think it's changed.

Actually this fits very well my current deployment (still not in a production
server) where exim4 and slapd are in the same machine. I took a look at
exim4 manual and, yes, ldapi:// is possible:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch09.html

Anyway, in the future exim4 and slapd will not be in the same machine and,
without SASL-GSSAPI, ok it seems that an accompanying slapd is necesary.

I know syncrepl (I am using it between my two slapd instances) but proxy idea
seems even more pertinent.

Post by Todd Lyons
Along those same lines, according to the openldap docs, the openldap
server can be used as a proxy. So you set it up on localhost (or in a
VM on your smtp vlan, etc) and openldap do the GSSAPI to your
corporate server, while you do simple binds to your local server.

Ok, so ldapi:// to a local instance which is just a light proxy. I don't
have experience on this, I think it is called LDAP database backend(1)
but maybe more than that is implicated, according to the facts that:
- a change of identity authorization is performed from one communication
to the other.
- for security reasons, it is convinient to reduce proxy usage to just the
<LDAP node> in question.

Thank you guys. I wanted to know if SASL-GSSAPI problem was a misunderstanding
by my side, so I can move to another thing (for now) having things clear at
this point.

Félix

(1) http://www.openldap.org/doc/admin24/backends.html#LDAP

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - h