[Exim] LDAP & SMTP Authentication

Top Page
Delete this message
Reply to this message
Author: Jeffrey C. Ollie
Date:  
To: exim-users
Subject: [Exim] LDAP & SMTP Authentication
I'm trying out a new setup that will allow user to authenticate to Exim using their
LDAP credentials. Here's the relevant part of my configuration:

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup ldap {user=uid=${quote_ldap:$1},ou=people,o=example.org pass=$2 ldap://ldap.example.org/uid=${quote_ldap:$1},ou=people,o=example.org?uid?base?(objectclass=*)}{yes}{no}}
server_set_id = uid=${quote_ldap:$1},ou=people,o=example.org

The authenticator works just fine when the correct username/password
is sent. My problem comes from when the client sends the wrong
password. Here's a sample session:

client $ telnet server.example.org 25
Trying 10.0.0.2...
Connected to server.example.org.
Escape character is '^]'.
220 server.example.org ESMTP Exim 3.33 #5 Tue, 02 Oct 2001 23:07:24 -0500
EHLO client.example.org
250-server.example.org Hello client.example.org [10.0.0.1]
250-SIZE
250-PIPELINING
250-AUTH LOGIN
250-STARTTLS
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
435 Unable to authenticate at present: lookup of "user=uid=username,ou=people,o=example.org pass=password ldap://ldap.example.org/uid=usename,ou=people,o=example.org?uid?base?(objectclass=*)" gave DEFER: failed to bind the LDAP connection to server ldap.example.org:389 - LDAP error 49: Invalid credentials

As you can see, the password is returned in plaintext in the error
message. I worry that the error message might somehow end up in a
bounce message or leak out some other way. It's a small chance, sure,
but I'd like to eliminate the possibility. Is there anything short of
modifying the source that I can do?

Jeff