[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: Re: Antwort: Re: Re: LDAP and sendmail

To: Stuart Lynne <sl@fireplug.net>
Subject: Antwort: Re: Antwort: Re: Re: LDAP and sendmail
From: "Masiar Ighani" <MIGHANI@debis.com>
Date: Fri, 5 Mar 1999 12:16:12 +0100
Cc: openldap-general@OpenLDAP.org
Content-disposition: inline

Hi Stuart,

you´re right. Last week i patched qpopper to get his authentification
information out of LDAP. It was really trivial.
But what i didn´t understand (until yesterday) was, how can i tell
sendmail/delivery agent that a given User "XYZ" is on the local machine
WITHOUT USING /ETC/PASSWD but LDAP instead.
Now i know that nss_ldap will do. However, i´ll figure it out in the next
days. Thanks everybody for helping.



Greetings,

Masiar






Stuart Lynne <sl@fireplug.net> on 05.03.99 11:24:49

An:    Masiar Ighani <MIGHANI@debis.com>
Kopie: Dustin Sallings <dustin@spy.net>, openldap-general@OpenLDAP.org
Thema: Re: Antwort: Re: Re: LDAP and sendmail
                                                                           
 Aktion                              WV-Datum:                             
 :

On Fri, Mar 05, 1999 at 10:36:24AM +0100, Masiar Ighani wrote:
>
> Hi Dustin,
>
> but how do they pop their mail?  The POP-Server uses the /etc/passwd or
> /etc/shadow to get the password !?
> And the delivery agent needs the uid to change to, before writing in the
> users mailbox.

Many large mail servers take a "sealed" server approach. No user logins of
any kind (other than system administrators).

All mail is stored in a separate  mailbox file or directory for each unique
user.  All access by users to their mail is via pop or imap. So permissions
are to make the mailboxes read/write only by the mail uid/gid. And
setuid/setgid the mail delivery programs.

All authentication, forwarding information, etc is stored in a database. In
this case presumably LDAP.

The hooks in exim (for example) are perfectly adequate for delivering mail
for user@domain type users with forwarding, vacation etc using a directory
server.

And doing authentication out of the same directory server for pop access is
next to trivial (~100 or so lines of C). Simply derive a distinguished name
from the users login (and perhaps a domain from the reverse DNS of the IP
address the request came to) and attempt to bind to the directory with the
provided password. If the bind succeeds you have a valid user. You can use
the
same information to find his unique mailbox file or directory.

--
Stuart Lynne <sl@fireplug.net>      604-461-7532      <
http://edge.fireplug.net>
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00  88 EC A3 EE 2D 1C 15 68

Follow-Ups:
- Re: Antwort: Re: Antwort: Re: Re: LDAP and sendmail
  - From: Ben Collins <bcollins@debian.org>
- Re: Antwort: Re: Antwort: Re: Re: LDAP and sendmail
  - From: Dustin Sallings <dustin@spy.net>
- Re: Antwort: Re: Antwort: Re: Re: LDAP and sendmail
  - From: Stuart Lynne <sl@fireplug.net>

Prev by Date: Re: Antwort: Re: Re: LDAP and sendmail
Next by Date: Re: Antwort: Re: Antwort: Re: Re: LDAP and sendmail
Index(es):
- Chronological
- Thread