My activities New request

contact atmail support

PH: +61 (7) 5357-6605

support@atmail.com

Follow

LDAP Lookups with SMTP Authentication

Nathan Salt -

PROBLEM

My LDAP setup disallows the use of bind authentication for users and I want to enable authentication of this sort via Exim.

ENVIRONMENT

  • On-Premise Server + WebMail Installations: Version 6.0 > Current Version

CAUSE

Change in Configuration

RESOLUTION

For the following setup, we will use the following parameters:

  • The LDAP server is  ldap.local
  • The administrator DN is 'uid=admin,ou=Admin,o=domain.com'
  • The password is 'password'
  • The base DN for users is 'ou=People,o=domain.com'
  • The attribute for password is 'userpass'
  • The objectClass is 'inetOrgPerson'
  1. Open up to configure file:
    /usr/local/atmail/mailserver/configure
  2. Find the following line:
     # AUTH LOGIN authentication method with MySQL support used by Outlook Express.
    #auth_login:
    #driver = plaintext
    #public_name = LOGIN
    #server_condition = ${if eq{$1}{${lookup mysql{SELECT Account FROM UserSession WHERE Account='$1' and Password='$2'}{$value}fail}}{1}{0}}
    #server_prompts = "Username:: : Password::"
    #server_set_id = $1
  3. Replace with:

     auth_login:
    driver = plaintext
    public_name = LOGIN<
    server_condition = ${if eq{$2}{${lookup ldap{user="uid=admin,ou=Admin,o=domain.com" pass=193af9q ldap://ldap.local/ou=People,o=domain.com?userpass?sub?(&(uid=$1)(objectclass=inetOrgPerson))}{$value}fail}}{1}{0}}
    server_prompts = "Username:: :Password::"
    server_set_id = $1
  4. Note the LDAP URL. it takes the following format:

     ldap://[host name]/[base DN]?[attribute name]?[scope]?[filter

    For our example, we use:

    ldap://ldap.local:389/ou=People,o=domain.com?userpass?sub?(&(uid=$1)(objectclass=account))

    Where:

    ldap.local:389 is the hostname and port of the LDAP server

    ou=People,o=domain.com is our Base DN. This is the distinguished name that forms the base of the LDAP search. If entries have the LDAP format of 'uid=username,ou=People,o=domain.com', the Base DN to use is 'ou=People,o=domain.com'.

    userpass is the attribute we are looking for, for comparison

    sub is the scope of the search. sub retrieves information about entries at all levels below the distinguished name (base dn) specified in the URL. base retrieves information about the distinguished name (base dn) specified in the URL only.

    (&(uid=$1)(objectclass=inetOrgPerson)) is the filter. Normally, a basic filter contains only one set - for example, (objectclass=inetOrgPerson), which specifies that it should only show entries of the object class 'inetOrgPerson'. Since we are looking for a specific object class AND uid, we need to specify both.

    In this case, the filter is specified as:

    (&(uid=$1)(objectclass=inetOrgPerson))

    Which, roughly means:

    ((uid=$1) AND (objectclass=inetOrgPerson))

    The operator "&", standing for "AND", being appended at the front of the filter. This requires that both filter conditions are met.

  5. Restart Atmail
    service atmailserver restart
Have more questions? Submit a request

Comments