имеем:
1. FreeBSD 7.0-RELEASE-p5
exim-4.69_2
dovecot-1.1.7_1
2. PDC на win2003 r2
учетная запись пользователя в AD
Код: Выделить всё
# \D0\A1\D0\B5\D1\80\D0\B3\D0\B5\D0\B9 \D0\A0\D0\BE\D0\BC\D0\B0\D0\BD\D0\BE\D
0\B2, \D0\9F\D0\BE\D0\BB\D1\8C\D0\B7\D0\BE\D0\B2\D0\B0\D1\82\D0\B5\D0\BB\D0\
B8, domain.local
dn:: Q0490KHQtdGA0LPQtdC5INCg0L7QvNCw0L3QvtCyLE9VPdCf0L7Qu9GM0LfQvtCy0LDRgtC10
LvQuCxEQz1hbnBpbG92c20sREM9bG9jYWw=
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: 0KHQtdGA0LPQtdC5INCg0L7QvNCw0L3QvtCy
telephoneNumber: 50M
distinguishedName:: Q0490KHQtdGA0LPQtdC5INCg0L7QvNCw0L3QvtCyLE9VPdCf0L7Qu9GM0L
fQvtCy0LDRgtC10LvQuCxEQz1hbnBpbG92c20sREM9bG9jYWw=
instanceType: 4
whenCreated: 20081113041350.0Z
whenChanged: 20090111193505.0Z
uSNCreated: 367734
memberOf:: Q0490J7RgtC00LXQuyDQmNCiLE9VPdCT0YDRg9C/0L/RiyDQv9C+0LTRgNCw0LfQtNC
10LvQtdC90LjQuSxPVT3Qn9C+0LvRjNC30L7QstCw0YLQtdC70LgsREM9YW5waWxvdnNtLERDPWxv
Y2Fs
memberOf:: Q0490JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YDRiyDQtNC+0LzQtdC90LAsQ049VXN
lcnMsREM9YW5waWxvdnNtLERDPWxvY2Fs
memberOf:: Q0490JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YDRiyDQv9GA0LXQtNC/0YDQuNGP0YL
QuNGPLENOPVVzZXJzLERDPWFucGlsb3ZzbSxEQz1sb2NhbA==
uSNChanged: 1619202
name:: 0KHQtdGA0LPQtdC5INCg0L7QvNCw0L3QvtCy
objectGUID:: 8+KJruUXVE+GUu1B2Hc9dw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 128761772395163154
lastLogoff: 0
lastLogon: 128761858211157253
pwdLastSet: 128761761235781250
primaryGroupID: 513
userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI
CAg
objectSid:: AQUAAAAAAAUVAAAAq94cAoG04+7ocN1sdQgAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 77
sAMAccountName: s.romanov
sAMAccountType: 805306368
userPrincipalName: s.romanov@domain.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=localmsNPAllowDialin: TRUE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 128760745335781250
mail: s.romanov@domain.ru
exim из AD использует 2 поля:
mail для назначения почтового ящика и аунтефтицикации, в нем может быть значение отличное от логина пользователя в домене.
telephoneNumber для квоты на размер почтового ящика
exim.conf
Код: Выделить всё
primary_hostname = mail.domain.ru
## Параметры подключения к LDAP серверу
LDAPSERVER=domain.local:3268
BASEDN=dc=domain,dc=local
LDAP_AUTH= user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass"
......
begin routers
.......
ldapuser:
driver = accept
condition = ${if eq {}{${lookup ldapdn {LDAP_AUTH ldap://LDAPSERVER/BASEDN?(mail=${quote_ldap:$local_part}${quote_ldap:@}${quote_ldap:$domain})}}}{no}{yes}}
transport = ldap_delivery
unseen = true
.....
begin transports
remote_smtp:
driver = smtp
ldap_delivery:
driver = appendfile
check_string = ""
create_directory
delivery_date_add
directory = ${lookup ldap{LDAP_AUTH ldap://LDAPSERVER/BASEDN?mail?sub?(mail=${quote_ldap_dn:$local_part}@domain.ru)}{/var/spool/mail/$value} }
directory_mode = 770
envelope_to_add
maildir_use_size_file
group = mail
maildir_format
maildir_tag = ,S=$message_size
message_prefix = ""
message_suffix = ""
mode = 0660
quota = ${lookup ldap{LDAP_AUTH ldap://LDAPSERVER/BASEDN?telephoneNumber?sub?(mail=${quote_ldap_dn:$local_part}${quote_ldap:@}${quote_ldap:$domain})}}
quota_warn_message = "\
To: $local_part@$domain\n\
From: root@$domain\n\
Subject: Your maildir is going full\n\
This message is automaticaly gnerated by your mail server.\n\
This means, that your mailbox is 80% full. If you would \n\
override this limit new mail would not be delivered to you!\n\n\
Please, clean your mailbox."
quota_warn_threshold = 85%
....
begin authenticators
auth_plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if ldapauth {user=${lookup ldapdn {LDAP_AUTH ldap://LDAPSERVER/BASEDN?mail?sub?(mail=${quote_ldap:$auth2}@domain.ru)}} pass=${quote_ldap:$auth2} connect=5 ldap://LDAPSERVER/} {true} {fail}}
server_prompts = :
server_set_id = $auth2
что происходит при телнет сесси на сервере
Код: Выделить всё
14:58:21 72443 SMTP>> 250-mail.domain.ru Hello ns3.palcons.ru [81.28.182.30]
14:58:21 72443 250-SIZE 5242880
14:58:21 72443 250-PIPELINING
14:58:21 72443 250-AUTH PLAIN AUTH_LOGIN
14:58:21 72443 250 HELP
14:58:25 72443 SMTP<< auth plain
14:58:25 72443 SMTP>> 334
14:58:28 72443 SMTP<< AHMycmh9tYW5vsgBnYnBszNuZmhnig==
14:58:28 72443 auth_plain authenticator:
14:58:28 72443 $auth1 =
14:58:28 72443 $auth2 = s.romanov
14:58:28 72443 $auth3 = moipass
14:58:28 72443 $1 =
14:58:28 72443 $2 = s.romanov
14:58:28 72443 $3 = moipass
14:58:28 72443 expanding: $auth2
14:58:28 72443 result: s.romanov
14:58:28 72443 expanding: user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=${quote_ldap:$auth2}@domain.ru)
14:58:28 72443 result: user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=s.romanov@domain.ru)
14:58:28 72443 search_open: ldapdn "NULL"
14:58:28 72443 search_find: file="NULL"
14:58:28 72443 key="user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=s.romanov@domain.ru)" partial=-1 affix=NULL starflags=0
14:58:28 72443 LRU list:
14:58:28 72443 internal_search_find: file="NULL"
14:58:28 72443 type=ldapdn key="user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=s.romanov@domain.ru)"
14:58:28 72443 database lookup required for user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=s.romanov@domain.ru)
14:58:28 72443 LDAP parameters: user=CN=squid,CN=Users,DC=domain,DC=local pass=pass size=0 time=0 connect=0 dereference=0 referrals=on
14:58:28 72443 perform_ldap_search: ldapdn URL = "ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=s.romanov@domain.ru)" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
14:58:28 72443 after ldap_url_parse: host=domain.local port=3268
14:58:28 72443 ldap_initialize with URL ldap://domain.local:3268/
14:58:28 72443 initialized for LDAP (v3) server domain.local:3268
14:58:28 72443 LDAP_OPT_X_TLS_TRY set
14:58:28 72443 binding with user=CN=squid,CN=Users,DC=domain,DC=local password=pass
14:58:28 72443 Start search
14:58:28 72443 ldap_result loop
14:58:28 72443 LDAP entry loop
14:58:28 72443 search ended by ldap_result yielding 101
14:58:28 72443 ldap_parse_result: 0
14:58:28 72443 ldap_parse_result yielded 0: Success
14:58:28 72443 LDAP search: returning: CN=п?п?я?пЁп?п? п?п?п?п?п?п?п?,OU=п?п?п?я?п?п?п?п?я?п?п?п?,DC=domain,DC=local
14:58:28 72443 lookup yielded: CN=п?п?я?пЁп?п? п?п?п?п?п?п?п?,OU=п?п?п?я?п?п?п?п?я?п?п?п?,DC=domain,DC=local
в куске выше exim с учеткой "СN=squid,CN=Users,DC=domain,DC=local" биндиться к АД и ищет dn пользователя по заданному фильтру, находит
"CN=п?п?я?пЁп?п? п?п?п?п?п?п?п?,OU=п?п?п?я?п?п?п?п?я?п?п?п?,DC=domain,DC=local"
и ниже с эти dn пытаеться аунтентифицироваться, где его собственно и посылают
Код: Выделить всё
14:58:28 72443 expanding: $auth2
14:58:28 72443 result: s.romanov
14:58:28 72443 expanding: user=${lookup ldapdn {user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=${quote_ldap:$auth2}@domain.ru)}} pass=${quote_ldap:$auth2} connect=5 ldap://domain.local:3268/
14:58:28 72443 result: user=CN=п?п?я?пЁп?п? п?п?п?п?п?п?п?,OU=п?п?п?я?п?п?п?п?я?п?п?п?,DC=domain,DC=local pass=s.romanov connect=5 ldap://domain.local:3268/
14:58:28 72443 LDAP query error: unknown parameter "п?п?п?п?п?п?п?,OU=" precedes LDAP URL
14:58:28 72443 failed to expand: ${if ldapauth {user=${lookup ldapdn {user="CN=squid,CN=Users,DC=domain,DC=local" pass="pass" ldap://domain.local:3268/dc=domain,dc=local?mail?sub?(mail=${quote_ldap:$auth2}@domain.ru)}} pass=${quote_ldap:$auth2} connect=5 ldap://domain.local:3268/} {true} {fail}}
14:58:28 72443 error message: unknown parameter "п?п?п?п?п?п?п?,OU=" precedes LDAP URL
14:58:28 72443 expansion failed: unknown parameter "п?п?п?п?п?п?п?,OU=" precedes LDAP URL
14:58:28 72443 expanding: $auth2
14:58:28 72443 result: s.romanov
14:58:28 72443 SMTP>> 435 Unable to authenticate at present
14:58:28 72443 LOG: MAIN REJECT
14:58:28 72443 auth_plain authenticator failed for (ns3.palcons.ru) [81.28.182.30] I=[85.114.189.2]:25: 435 Unable to authenticate at present (set_id=s.romanov): unknown parameter "п?п?п?п?п?п?п?,OU=" precedes LDAP URL
^C