[Exim] SMTP AUTH and LDAP bind

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Brian Candler
Datum:  
To: exim-users
Betreff: [Exim] SMTP AUTH and LDAP bind
I am trying to configure SMTP AUTH (plaintext) by means of a bind to an LDAP
server. This is so that I don't have to give the Exim box read access to the
password attribute.

It does actually work, using the following configuration:

--------------------------------------------------------------------------
#[in the top section]

# Magic macros for LDAP
ldap_default_servers = 192.0.2.1

LDAP_AUTH_QUERY = ldap:///dc=example,dc=com??sub?(uid=${quote_ldap:$2})
LDAP_AUTH_EXPR = ${lookup ldap {user="$value" pass=$3 LDAP_AUTH_QUERY}{1}{0}}
LDAP_AUTH_BIND = ${lookup ldapdn {LDAP_AUTH_QUERY}{LDAP_AUTH_EXPR}{0}}

...

#[in the authenticators section]

ldap_plain:
driver = plaintext
public_name = PLAIN
server_condition = LDAP_AUTH_BIND
server_set_id = $2

--------------------------------------------------------------------------

What that lovely macro stuff is doing is:
1. search for the DN of an entry with uid=<username>
   - if the search fails, return 0
     (exim gives a "535 Incorrect authentication data" response)
2. search again, binding using the DN found above and <password>


The problem is that if you present a good username but an invalid password
for that username, you get a huge 4xx error message:

auth plain AGJyaWFuAGJhZHBhc3N3b3Jk
435 Unable to authenticate at present: lookup of "user="uid=brian,dc=example,dc=com" pass=badpassword ldap:///dc=example,dc=com??sub?(uid=brian)" gave DEFER: failed to bind the LDAP connection to server 192.0.2.1:0 - LDAP error 49: Invalid credentials

It is of course correct, but what I would like to do in this case is have a
failed bind be treated just like a failed LDAP lookup, so I can get the same
535 response.

Is there a way of doing this? If not, please consider this a feature request
:-)

Thanks,

Brian.