Re: [exim] SMTP AUTH via LDAP

Top Pagina
Delete this message
Reply to this message
Auteur: Rafał Kupka
Datum:  
Aan: Chris Bellomy
CC: exim-users
Onderwerp: Re: [exim] SMTP AUTH via LDAP
On 17-01-2007 at 21:54 +0000, Chris Bellomy wrote:
Hello,

> Here is the recipe I'm trying to get to work:
>
> LDAPCFG = user=cn=Manager,dc=blah,dc=com pass=xxxxxxx connect=5
>
> plain:
>    driver = plaintext 
>    public_name = PLAIN
>    server_prompts = :
>     server_condition = ${if ldapauth \
>      {user=${lookup ldapdn \
>      {LDAPCFG ldap:///ou=Employees,dc=blah,dc=com?dn?sub?(uid=$2)}} \
>      pass=$3 connect=5 ldap:///} {true} {fail}}
>    server_set_id = $2

>
> The problem here is that the DN's in this directory include
> CN's, which have spaces. My DN, for instance, would be:
>
>    cn=Chris Bellomy,ou=Employees,dc=blah,dc=com


I have similar setup, but with artificially created cn attributes
without spaces. So I create user with cn= like your one and perform some
tests.

> I keep thinking that quote_ldap_dn, properly placed, will solve
> this, but I just can't figure out the right iteration for that
> (if in fact quote_ldap_dn is the right function here).


After first quick look at exim spec 9.16 and 9.17 I thought you are
rigth. But later I realize that ${quote_ldap_dn: } works only with
separate parts of ldap DN. Look:
brutus:~# exim4 -be
> ${quote_ldap_dn:cn=rafal kupka,ou=Accounts,dc=test,dc=wdg.pl,ou=Domains,o=wdg}

cn%3Drafal%20kupka%5C%2Cou%3DAccounts%5C%2Cdc%3Dtest%5C%2Cdc%3Dwdg.pl%5C%2Cou%3DDomains%5C%2Co%3Dwdg
> ${quote_ldap:cn=rafal kupka,ou=Accounts,dc=test,dc=wdg.pl,ou=Domains,o=wdg}

cn%3Drafal%20kupka%2Cou%3DAccounts%2Cdc%3Dtest%2Cdc%3Dwdg.pl%2Cou%3DDomains%2Co%3Dwdg

This operator escapes comma separator between cn and ou attributes with
backslash. (Preventing ldap injection security hole.)

I sidestep problem with this query:
server_condition = ${if ldapauth {\
                     user=${lookup ldapdn{LDAP_CRED \
                            ldap:///ou=Domains,LDAP_BASE??sub?\
                            (mail=${quote_ldap:$1})\
                           }{${quote_ldap:$value}}fail} \
                     pass=${quote:$2} ldap:///}{yes}{no}}


I don't know if ${quote_ldap: } is perfectly suitable in this situation
(quoting ldap dn as a whole), but at least it works with spaces.

> Problem two, if it can be solved, is that I'd prefer to do the
> search with an anonymous bind, and the authentication with the
> authenticated bind (of course). As far as I can tell, though,
> one can never do anonymous binds from exim. Am I right?


Have You tried just not setting user= and pass= in ldap query?
It should work.

Regards,
Kupson