Re: [Exim] LDAP & SMTP Authentication

Top Page
Delete this message
Reply to this message
Author: Adam Cassar
Date:  
To: Jeffrey C. Ollie
CC: exim-users
Subject: Re: [Exim] LDAP & SMTP Authentication
Why not just use a query? I think this avoids the error.

On Tue, Oct 02, 2001 at 11:43:31PM -0500, Jeffrey C. Ollie wrote:
> I'm trying out a new setup that will allow user to authenticate to Exim using their
> LDAP credentials. Here's the relevant part of my configuration:
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup ldap {user=uid=${quote_ldap:$1},ou=people,o=example.org pass=$2 ldap://ldap.example.org/uid=${quote_ldap:$1},ou=people,o=example.org?uid?base?(objectclass=*)}{yes}{no}}
> server_set_id = uid=${quote_ldap:$1},ou=people,o=example.org
>
> The authenticator works just fine when the correct username/password
> is sent. My problem comes from when the client sends the wrong
> password. Here's a sample session:
>
> client $ telnet server.example.org 25
> Trying 10.0.0.2...
> Connected to server.example.org.
> Escape character is '^]'.
> 220 server.example.org ESMTP Exim 3.33 #5 Tue, 02 Oct 2001 23:07:24 -0500
> EHLO client.example.org
> 250-server.example.org Hello client.example.org [10.0.0.1]
> 250-SIZE
> 250-PIPELINING
> 250-AUTH LOGIN
> 250-STARTTLS
> 250 HELP
> AUTH LOGIN
> 334 VXNlcm5hbWU6
> dXNlcm5hbWU=
> 334 UGFzc3dvcmQ6
> cGFzc3dvcmQ=
> 435 Unable to authenticate at present: lookup of "user=uid=username,ou=people,o=example.org pass=password ldap://ldap.example.org/uid=usename,ou=people,o=example.org?uid?base?(objectclass=*)" gave DEFER: failed to bind the LDAP connection to server ldap.example.org:389 - LDAP error 49: Invalid credentials
>
> As you can see, the password is returned in plaintext in the error
> message. I worry that the error message might somehow end up in a
> bounce message or leak out some other way. It's a small chance, sure,
> but I'd like to eliminate the possibility. Is there anything short of
> modifying the source that I can do?
>
> Jeff
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>


--

Adam Cassar
Technical Development Manager
___________________________________________
NetRegistry http://www.netregistry.net
D: +61 2 9641 8609 | F: +61 2 9699 6088
PO Box 270 Broadway NSW 2007 Australia