I am trying to configure SMTP AUTH (plaintext) by means of a bind to an LDAP
server. This is so that I don't have to give the Exim box read access to the
password attribute.
It does actually work, using the following configuration:
--------------------------------------------------------------------------
#[in the top section]
# Magic macros for LDAP
ldap_default_servers = 192.0.2.1
LDAP_AUTH_QUERY = ldap:///dc=example,dc=com??sub?(uid=${quote_ldap:$2})
LDAP_AUTH_EXPR = ${lookup ldap {user="$value" pass=$3 LDAP_AUTH_QUERY}{1}{0}}
LDAP_AUTH_BIND = ${lookup ldapdn {LDAP_AUTH_QUERY}{LDAP_AUTH_EXPR}{0}}
...
#[in the authenticators section]
ldap_plain:
driver = plaintext
public_name = PLAIN
server_condition = LDAP_AUTH_BIND
server_set_id = $2
--------------------------------------------------------------------------
What that lovely macro stuff is doing is:
1. search for the DN of an entry with uid=<username>
- if the search fails, return 0
(exim gives a "535 Incorrect authentication data" response)
2. search again, binding using the DN found above and <password>
The problem is that if you present a good username but an invalid password
for that username, you get a huge 4xx error message:
auth plain AGJyaWFuAGJhZHBhc3N3b3Jk
435 Unable to authenticate at present: lookup of "user="uid=brian,dc=example,dc=com" pass=badpassword ldap:///dc=example,dc=com??sub?(uid=brian)" gave DEFER: failed to bind the LDAP connection to server 192.0.2.1:0 - LDAP error 49: Invalid credentials
It is of course correct, but what I would like to do in this case is have a
failed bind be treated just like a failed LDAP lookup, so I can get the same
535 response.
Is there a way of doing this? If not, please consider this a feature request
:-)
Thanks,
Brian.
