felix
2012-09-17 23:00:35 UTC
Hi,
is it SASL-GSSAPI auth possible for Exim4 ldap lookups?
Thanks in advance.
------------------
P.D. Some background and details:
I recently set up Exim4 to get some variables from an LDAP server.
It works but, since the content of those variables is sensitive,
I have created an LDAP ACL such that only <right_ldap_identity> can
read the <LDAP node> and so the variables in question.
That <right_ldap_identity> is the result of making a successful SASL-GSSAPI
authentication against ldap server by using a certain Kerberos principal,
<right_principal>.
So, during authentication, <right_principal> is mapped to
<right_ldap_identity> which is, finally, allowed to read <LDAP node>
according to our shine and new ACL.
- But manual exim4 ldap lookups tests do not work:
KRB5CCNAME=/tmp/<tickets_for_right_principal> \
su vmail -m \
-c " /usr/sbin/exim4 -be ${lookup ldapm{ <ldap_query> }}' "
... so the ticket cache for <right_principal> (line 1)
can be read by processes under vmail unix user (line 2)
so this way exim4 makes <ldap_query> (line 3)
But does not work.
- Tests using "ldapsearch" tool instead of exim4 are successful:
KRB5CCNAME=/tmp/<tickets_for_right_principal> \
su vmail -m \
-c " ldapsearch -b '<ldap_query>' " <-------
It works.
Of course, exim4 test works if I delete the ACL. Therefore,
and given the successful ldapsearch test, I think that exim4
is not using SASL-GSSAPI. It should because it is linked against
libldap, which is configured in /etc/ldap/ldap.conf, which
make SASL-GSSAPI the default authentication mechanism thanks to
a line containing: "SASL_MECH GSSAPI" statement.
-------------------------
Exim4 4.72
OpenLDAP's slapd 2.4.23
MIT Kerberos 1.8.3
Debian 6
-------------------------
is it SASL-GSSAPI auth possible for Exim4 ldap lookups?
Thanks in advance.
------------------
P.D. Some background and details:
I recently set up Exim4 to get some variables from an LDAP server.
It works but, since the content of those variables is sensitive,
I have created an LDAP ACL such that only <right_ldap_identity> can
read the <LDAP node> and so the variables in question.
That <right_ldap_identity> is the result of making a successful SASL-GSSAPI
authentication against ldap server by using a certain Kerberos principal,
<right_principal>.
So, during authentication, <right_principal> is mapped to
<right_ldap_identity> which is, finally, allowed to read <LDAP node>
according to our shine and new ACL.
- But manual exim4 ldap lookups tests do not work:
KRB5CCNAME=/tmp/<tickets_for_right_principal> \
su vmail -m \
-c " /usr/sbin/exim4 -be ${lookup ldapm{ <ldap_query> }}' "
... so the ticket cache for <right_principal> (line 1)
can be read by processes under vmail unix user (line 2)
so this way exim4 makes <ldap_query> (line 3)
But does not work.
- Tests using "ldapsearch" tool instead of exim4 are successful:
KRB5CCNAME=/tmp/<tickets_for_right_principal> \
su vmail -m \
-c " ldapsearch -b '<ldap_query>' " <-------
It works.
Of course, exim4 test works if I delete the ACL. Therefore,
and given the successful ldapsearch test, I think that exim4
is not using SASL-GSSAPI. It should because it is linked against
libldap, which is configured in /etc/ldap/ldap.conf, which
make SASL-GSSAPI the default authentication mechanism thanks to
a line containing: "SASL_MECH GSSAPI" statement.
-------------------------
Exim4 4.72
OpenLDAP's slapd 2.4.23
MIT Kerberos 1.8.3
Debian 6
-------------------------
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/