Here's a suitable config for LOGIN and PLAIN type auth:
ldap_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if ldapauth {user="uid=${quote_ldap:$1},ou=Users,dc=....." pass="$2" ldap://localhost/}{yes}{no}}
server_set_id = $1
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
ldap_plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if ldapauth {user="uid=${quote_ldap:$2},ou=Users,dc=...." pass="$3" ldap://localhost/}{yes}{no}}
server_set_id = $2
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
The bit which wasn't explained very well (or at least not obvious to me) was what ldapauth did. There were various examples around which were pulling passwords out of a directory, having logged in with a suitable dn, but what this simple solution does is attempt to log into the LDAP directory using the credentials that "user" and "pass" are set to and since the LDAP directory contains the user authentication data as used by other systems (such as PAM or the unix NSS) it is authenticating against exactly the same thing.
This method won't work with the cram_md5 authentication driver as that requires a password to be pulled from somewhere and given to exim to work with.
No comments:
Post a Comment