Mailing List Archive: exim: users

(OT?) Authentication against Active Directory

Index | Next | Previous | View Threaded

Richard.Rogers at staffs

Oct 28, 2009, 9:35 AM

Post #1 of 3 (120 views)
Permalink

(OT?) Authentication against Active Directory

Hi -

I want to set up a submission service, and rather than have a separate
username/password store, it would seem neater to have Exim authenticate
against Active Directory. I have been looking around for pointers (I'm
no expert with PAM or SASL) but not found a "recipe".

I would appreciate any pointers as to the best way to go about this -
I'm sure someone has gone down this road before me! The system will run
on a Redhat (or possibly Fedora) box.

Thanks in advance

Richard

--
Richard Rogers
IT Development and Innovation Manager
Information Services, Staffordshire University
Tel. ext. 3785 or 4318

The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, except for the purpose of delivery to the addressee, is prohibited and may be unlawful. Kindly notify the sender and delete the message and any attachment from your computer.
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Oct 28, 2009, 5:17 PM

Post #2 of 3 (107 views)
Permalink

Re: (OT?) Authentication against Active Directory [In reply to]

On 2009-10-28 at 16:35 -0000, ROGERS Richard wrote:
> I want to set up a submission service, and rather than have a separate
> username/password store, it would seem neater to have Exim authenticate
> against Active Directory. I have been looking around for pointers (I'm
> no expert with PAM or SASL) but not found a "recipe".
>
> I would appreciate any pointers as to the best way to go about this -
> I'm sure someone has gone down this road before me! The system will run
> on a Redhat (or possibly Fedora) box.

Various options need to have been compiled into Exim to make some of the
below work; LDAP, or Cyrus SASL support, or something else.

Note that to a large extent, Active Directory is just LDAP + Kerberos.
Not entirely just those, but solutions which rely on just LDAP or
Kerberos should work.

Do the clients support GSSAPI so that they can use Kerberos tickets to
authenticate? That would give total AD integration. I don't use AD
myself, but you would want something similar to what I use:

----------------------------8< cut here >8------------------------------
auth_gssapi:
driver = cyrus_sasl
server_hostname = smtp.example.com
server_realm = EXAMPLE.COM
server_mech = gssapi
public_name = GSSAPI
server_set_id = $auth1
server_advertise_condition = ${if \
forany{463:587}{=={$received_port}{$item}}\
{yes}{no}}
----------------------------8< cut here >8------------------------------

To use this, you'd need to get a server principal created and a copy of
the server key into a file on the Exim host; this requires AD knowledge
that I don't have. I used ktutil, from Heimdal, in my non-AD setup);
then I arrange to make sure that the Exim daemon is started with:

KRB5_KTNAME=/etc/foo/bar/exim.keytab
export KRB5_KTNAME

(In my case, FreeBSD, I just put those into /etc/rc.conf.d/exim).

If not GSSAPI, then you're restricted to those mechanisms which accept a
password from the user (so CRAM-MD5 is out). You can use the "ldapauth"
expansion string condition. There's a canned example of this in:
34.4 The LOGIN authentication mechanism
which covers a LOGIN set-up; you can use the same, with some minor
modifications, for PLAIN (note that the position of the parameters
varies between PLAIN/LOGIN, so there's some fix-up needed). You might
also want to look at the documentation for ldapauth, in:
11.7 Expansion conditions

Looking at the example in 34.4, I'd also add:
server_advertise_condition = ${if def:tls_cipher}
which is a recommended option in the default Exim configs, in the
commented-out examples of PLAIN and LOGIN authenticators.

Regards,
-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

J.Haynes at Cranfield

Oct 28, 2009, 7:30 PM

Post #3 of 3 (107 views)
Permalink

Re: (OT?) Authentication against Active Directory [In reply to]

On Wed, 28 Oct 2009 at 16:35 -0000, ROGERS Richard wrote

> I would appreciate any pointers as to the best way to go about this -
> I'm sure someone has gone down this road before me! The system will run
> on a Redhat (or possibly Fedora) box.
>

We use ldapauth for this and it works fine (also running Exim on Redhat).
It is a useful shortcut as you don't have to worry about searching the
correct ldap hierarchy in the AD as it doesn't look anything up, just
tries to bind as the user. However if you need restrictions on which of
your users can send email you probably need to use an alternative. You
will also need some sort of lookup if you want to force the sender address
to match that associated with the username used - we haven't had problems
with this so far.

> I have been looking around for pointers (I'm
> no expert with PAM or SASL) but not found a "recipe".
>

Our config entry is below.

The complexity in our case is to allow for users authenticating with or
without the domain name in their username and also with the mailbox name
on the end - the latter is there because we use Exchange and for Exchange
2003 the IMAP username was "domain/username/alias" (where alias is the
local part of their email address) and we wanted to cope with users who
just checked the 'use same credentials for outgoing as incoming' option
on their client as well as those who supplied just the username. Hence the
complicated substitution inside the condition below.

Now we are using Exchange 2007 the above doesn't apply but the code is
still there.

I would have thought you probably still needed something to cope with the
choice between authenticating as username and domain\username. From my
experiments the requirement for what is passed to AD by LDAP is
username[at]FQDN but I don't know if this varies according to how the AD is
setup. Interestingly I have just realised that the below does not allow
that form as the provided username! Noone has tried it and complained yet,
presumably because people are told to authenticate to webmail as
DOMAIN\username and by extension use that on mail clients. I seem to
recall that when this was originally written the @ format wasn't an option
but I don't really remember.

While this is production code it has not been hugely stress tested as the
'official' methods of accessing email here are by webmail or Outlook in
Exchange mode so this is merely provided for people who choose to set up
their own clients.

The below config is slightly redacted in that I have changed our real AD
domain name. Email will probably line wrap the substitution expression as
well.

The following appears in the main config section

ldap_default_servers = SERVERX.ADDOMAIN.cranfield.ac.uk::636:\
SERVERY.ADDOMAIN.cranfield.ac.uk::636:\
etc..

and then the authenticators section looks like

begin authenticators

# Use LDAP against Active Directory
# username needs to be user[at]ADDOMAIN.cranfield.ac.uk
#
# Expression inside user section of ldapauth is JRH config
# for username with/without additional info
# This is designed to cope with usernames of the form
# DOMAIN/user/mailbox
# DOMAIN/user
# user/mailbox (unlikely to be provided but substitition code works
# anyway)
# user
# All / can also be \ and DOMAIN is case insensitive

# Use TLS encrypted ldap

# Plain authenticator

ldap_plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if ldapauth \
{user="${quote_ldap:\

${sg{${sg{$2}{\N(?i)DOMAIN(/|\\)(.*)\N}{\N$2\N}}}{\N(.*)(/|\\)(.*)\N}{\N$1\N}}@ADDOMAIN.cranfield.ac.uk}"
\
pass="$3" \
ldaps:///\
}\
{yes}{no}\
}
server_set_id = $2
server_prompts = :

The login authenticator is the same with appropriate adjustment to
parameters ($2->$1 and $3->$2) and a change to the server_prompts line.

Jonathan

--
------------------------------------------------------------------------------

J. R. Haynes
Senior Network Specialist

IT Department, e-mail: J.Haynes[at]cranfield.ac.uk
Bld 63,
Cranfield University, Tel: Bedford (01234) 754205
Wharley End, Bedford (01234) 750111 Extn 4205
Cranfield, Fax: Bedford (01234) 751814
Beds.,
MK43 0AL.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com