https://bugs.exim.org/show_bug.cgi?id=2948
Bug ID: 2948
Summary: Get rid of LDAP_DEPRECATED in case of OpenLDAP, and
prepare for usage of ldap_bind_sasl for more
mechanisms
Product: Exim
Version: N/A
Hardware: All
OS: All
Status: NEW
Severity: wishlist
Priority: medium
Component: Lookups
Assignee: unallocated@exim.org
Reporter: gergely.risko@gmail.com
CC: exim-dev@exim.org
Created attachment 1434
--> https://bugs.exim.org/attachment.cgi?id=1434&action=edit
proposed patch
I have a local server, where OpenLDAP and Exim4 is hosted in the same Linux
environment, they can connect to each other using domain sockets (ldapi://).
In this case, there is a very nice solution to LDAP security, the so called
EXTERNAL mechanism: the OpenLDAP server simply asks the kernel who is on the
other side of the LDAP connection, and the kernel will reply with the UID of
the exim user. Then in the LDAP access control one can set up this UID and
limit it to access only the part of the LDAP tree that is needed for exim's
operation.
Unfortunately, Exim doesn't support this mechanism, only the simple password
based bind, and this already came up on the mailing list once 10 years ago:
https://exim-users.exim.narkive.com/C580UKQe/exim4-ldap-lookups-and-sasl-gssapi-authentication#post3
I plan to implement this, and the implementation is quite simple, we just have
to pass "EXTERNAL" to ldap_sasl_bind, instead of LDAP_SASL_SIMPLE, when the
user requests to use this feature in the config file. (Maybe we should even
make it the default with ldapi if no username/password is specified.)
But unfortunately, exim is still using the deprecated ldap_bind interface, not
the ldap_sasl_bind interface.
So in this first bug report and patch, I tackle this issue, and I get rid of
LDAP_DEPRECATED and convert the bind call to ldap_sasl_bind.
After this is merged, the second patch will add support for EXTERNAL, and then
we can discuss what should the default be.
Please review the attached patch, and I'm happy to accomodate according to your
feedback.
One question: I didn't manage to run any of the LDAP tests, because the test
9000+9001 requires extra data, but there is no documentation on how to prepare
or download this extra data, can you please explain? And by the way, should we
really continue to support these weird LDAP systems, like OpenLDAP v1
(deprecated on August 2000), Solaris and Netscape (not free software, can't
download)?
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Bug ID: 2948
Summary: Get rid of LDAP_DEPRECATED in case of OpenLDAP, and
prepare for usage of ldap_bind_sasl for more
mechanisms
Product: Exim
Version: N/A
Hardware: All
OS: All
Status: NEW
Severity: wishlist
Priority: medium
Component: Lookups
Assignee: unallocated@exim.org
Reporter: gergely.risko@gmail.com
CC: exim-dev@exim.org
Created attachment 1434
--> https://bugs.exim.org/attachment.cgi?id=1434&action=edit
proposed patch
I have a local server, where OpenLDAP and Exim4 is hosted in the same Linux
environment, they can connect to each other using domain sockets (ldapi://).
In this case, there is a very nice solution to LDAP security, the so called
EXTERNAL mechanism: the OpenLDAP server simply asks the kernel who is on the
other side of the LDAP connection, and the kernel will reply with the UID of
the exim user. Then in the LDAP access control one can set up this UID and
limit it to access only the part of the LDAP tree that is needed for exim's
operation.
Unfortunately, Exim doesn't support this mechanism, only the simple password
based bind, and this already came up on the mailing list once 10 years ago:
https://exim-users.exim.narkive.com/C580UKQe/exim4-ldap-lookups-and-sasl-gssapi-authentication#post3
I plan to implement this, and the implementation is quite simple, we just have
to pass "EXTERNAL" to ldap_sasl_bind, instead of LDAP_SASL_SIMPLE, when the
user requests to use this feature in the config file. (Maybe we should even
make it the default with ldapi if no username/password is specified.)
But unfortunately, exim is still using the deprecated ldap_bind interface, not
the ldap_sasl_bind interface.
So in this first bug report and patch, I tackle this issue, and I get rid of
LDAP_DEPRECATED and convert the bind call to ldap_sasl_bind.
After this is merged, the second patch will add support for EXTERNAL, and then
we can discuss what should the default be.
Please review the attached patch, and I'm happy to accomodate according to your
feedback.
One question: I didn't manage to run any of the LDAP tests, because the test
9000+9001 requires extra data, but there is no documentation on how to prepare
or download this extra data, can you please explain? And by the way, should we
really continue to support these weird LDAP systems, like OpenLDAP v1
(deprecated on August 2000), Solaris and Netscape (not free software, can't
download)?
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##