• 9

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Secure LDAP Alias Lookup through Sendmail

I'm trying to configure sendmail to use an LDAP lookup as an alias table.

I have this line in my config:

Kldapfullname ldap -k"uid=%s" -v"mail" -h"my-ldap-server"

I've been using that for a long time. It works, aliases get looked up, and email ends up in the proper inbox.

However, it's working because the LDAP is currently allowing anonymous binds. Due to some policy changes, this can't be done anymore.

I got this working:

Kldapfullname ldap -k"uid=%s" -v"mail" -H"ldaps://my-ldap-server/" -Msimple -d"CN=LDAP_USER" -P /path/to/ldap.secret

Which fulfills the requirement of "no more anonymous binds".

However there's still a bit of a security problem: The LDAP binding is not being done over a secure channel. The user name and password are both being sent in clear text. Which in the long run, is just as useful as leaving it to bind anonymously.

In several examples I saw while searching around, I saw that the -H flag lets you specify a protocol such as ldap://, or in my case ldaps://.

But when I went to verify, I saw that the data was still going through the non-secure LDAP port (Port 389) instead of the LDAPS port (Port 636). (I used snoop to see the traffic between my host and the LDAP server.)

So my questions are: * Why is the ldaps:// being ignored and being used as if it was just ldap://? * What do I have to change in order to get this working?

According to the 4th edition of the "bat book" (section 3.4.56) when sendmail is compiled with LDAP support but without SM_CONF_LDAP_INITIALIZE the scheme:// part of the LDAP URL is omitted.

  • 1
Reply Report

Trending Tags