Mmmm yes, smart. On Wed, Sep 19, 2012 at 07:11:38AM -0700, Todd Lyons wrote: > On Tue, Sep 18, 2012 at 5:40 PM, Phil Pennock <[email protected]> wrote: > >> > Of course, exim4 test works if I delete the ACL. Therefore, > >> > and given the successful ldapsearch test, I think that exim4 > >> > is not using SASL-GSSAPI. It should because it is linked against > >> The existence of the linking against the libldap library is to allow > >> Exim to do LDAP lookups but there is no call to the GSSAPI > > In addition to that, if you want something that works _now_, then you > > should be able to set up an LDAP mirror on the mail server itself, with > > syncrepl with "partial" replication, only able to see the necessary > > attributes. > > Then you can use ldapi:// to connect to that local LDAP server over a > > Unix domain socket, and use peer credentials for authentication. Last I > > checked, that was sasl-regexp rules, but I think it's changed. Actually this fits very well my current deployment (still not in a production server) where exim4 and slapd are in the same machine. I took a look at exim4 manual and, yes, ldapi:// is possible: http://www.exim.org/exim-html-current/doc/html/spec_html/ch09.html
Anyway, in the future exim4 and slapd will not be in the same machine and, without SASL-GSSAPI, ok it seems that an accompanying slapd is necesary. I know syncrepl (I am using it between my two slapd instances) but proxy idea seems even more pertinent. > Along those same lines, according to the openldap docs, the openldap > server can be used as a proxy. So you set it up on localhost (or in a > VM on your smtp vlan, etc) and openldap do the GSSAPI to your > corporate server, while you do simple binds to your local server. Ok, so ldapi:// to a local instance which is just a light proxy. I don't have experience on this, I think it is called LDAP database backend(1) but maybe more than that is implicated, according to the facts that: - a change of identity authorization is performed from one communication to the other. - for security reasons, it is convinient to reduce proxy usage to just the <LDAP node> in question. Thank you guys. I wanted to know if SASL-GSSAPI problem was a misunderstanding by my side, so I can move to another thing (for now) having things clear at this point. FĂ©lix (1) http://www.openldap.org/doc/admin24/backends.html#LDAP -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
