On 17-01-2007 at 21:54 +0000, Chris Bellomy wrote:
Hello,
> Here is the recipe I'm trying to get to work:
>
> LDAPCFG = user=cn=Manager,dc=blah,dc=com pass=xxxxxxx connect=5
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_condition = ${if ldapauth \
> {user=${lookup ldapdn \
> {LDAPCFG ldap:///ou=Employees,dc=blah,dc=com?dn?sub?(uid=$2)}} \
> pass=$3 connect=5 ldap:///} {true} {fail}}
> server_set_id = $2
>
> The problem here is that the DN's in this directory include
> CN's, which have spaces. My DN, for instance, would be:
>
> cn=Chris Bellomy,ou=Employees,dc=blah,dc=com
I have similar setup, but with artificially created cn attributes
without spaces. So I create user with cn= like your one and perform some
tests.
> I keep thinking that quote_ldap_dn, properly placed, will solve
> this, but I just can't figure out the right iteration for that
> (if in fact quote_ldap_dn is the right function here).
After first quick look at exim spec 9.16 and 9.17 I thought you are
rigth. But later I realize that ${quote_ldap_dn: } works only with
separate parts of ldap DN. Look:
brutus:~# exim4 -be
> ${quote_ldap_dn:cn=rafal kupka,ou=Accounts,dc=test,dc=wdg.pl,ou=Domains,o=wdg}
cn%3Drafal%20kupka%5C%2Cou%3DAccounts%5C%2Cdc%3Dtest%5C%2Cdc%3Dwdg.pl%5C%2Cou%3DDomains%5C%2Co%3Dwdg
> ${quote_ldap:cn=rafal kupka,ou=Accounts,dc=test,dc=wdg.pl,ou=Domains,o=wdg}
cn%3Drafal%20kupka%2Cou%3DAccounts%2Cdc%3Dtest%2Cdc%3Dwdg.pl%2Cou%3DDomains%2Co%3Dwdg
This operator escapes comma separator between cn and ou attributes with
backslash. (Preventing ldap injection security hole.)
I sidestep problem with this query:
server_condition = ${if ldapauth {\
user=${lookup ldapdn{LDAP_CRED \
ldap:///ou=Domains,LDAP_BASE??sub?\
(mail=${quote_ldap:$1})\
}{${quote_ldap:$value}}fail} \
pass=${quote:$2} ldap:///}{yes}{no}}
I don't know if ${quote_ldap: } is perfectly suitable in this situation
(quoting ldap dn as a whole), but at least it works with spaces.
> Problem two, if it can be solved, is that I'd prefer to do the
> search with an anonymous bind, and the authentication with the
> authenticated bind (of course). As far as I can tell, though,
> one can never do anonymous binds from exim. Am I right?
Have You tried just not setting user= and pass= in ldap query?
It should work.
Regards,
Kupson