On Tue, 2 Oct 2001, Jeffrey C. Ollie wrote:
> I'm trying out a new setup that will allow user to authenticate to Exim using their
> LDAP credentials.
Hmm. Somebody mailed me privately about that and I thought it was a
really way-out idea. Seems that it's not a one-person scheme after all.
> 435 Unable to authenticate at present: lookup of "user=uid=username,ou=people,o=example.org pass=password ldap://ldap.example.org/uid=usename,ou=people,o=example.org?uid?base?(objectclass=*)" gave DEFER: failed to bind the LDAP connection to server ldap.example.org:389 - LDAP error 49: Invalid credentials
>
> As you can see, the password is returned in plaintext in the error
> message. I worry that the error message might somehow end up in a
> bounce message or leak out some other way. It's a small chance, sure,
> but I'd like to eliminate the possibility. Is there anything short of
> modifying the source that I can do?
I'm afraid not.
I think in Exim 4 the 435 message will be more terse, and the long
message will go only to the log (I've made some changes in this area to
stop leakage like this). However, it doesn't really work too well
because it really should be a 5xx error for authentication failure.
Problem is, I never thought of using LDAP this way, which is why a
password failure is treated as some kind of configuration error, causing
temporary failure.
I have added this to the Exim 4 wish list. I have for the moment stopped
working on the code while I update the documentation.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
