[exim] Validating user@domain using SPA authenticator

Top Page
Delete this message
Reply to this message
Author: Pedro Ribeiro
Date:  
To: exim-users
Subject: [exim] Validating user@domain using SPA authenticator
Hello ,

I'm trying to authenticate our Outlook users using the SPA/NTLM
authenticator native of Exim 4.67

The problem is the extraction of the domain name to execute the query
in the database to fetch the password for verification.

It seems that $auth1 only contains the local part of the address
($auth2 and $auth3 seem to be empty ...)

The macro I'm using for MySQL:

GET_CLEAR_PASS = SELECT pw_clear_passwd FROM vpopmail \
WHERE pw_name = '${quote_mysql:${local_part:$auth1}}' \
AND pw_domain = '${quote_mysql:${domain:$auth1}}' LIMIT 1

The configuration of the authenticator:

spa:
driver = spa
public_name = NTLM
server_password = "${lookup mysql {GET_CLEAR_PASS} {$value} fail }"
server_set_id = $auth1

The debugging of the failed tries (using pribeiro@??? as
username in the Outlook client):

19446 MYSQL query: SELECT pw_clear_passwd FROM vpopmail WHERE pw_name = 'pribeiro' AND pw_domain = '' LIMIT 1

Decoding the base64 strings sent by the client during
authentication I can see the domain, localpart and machine name
encoded in unicode:

NTLMSSP?????????v???????????????H???????\???
?
?l?????????????????(
????n?e?t?.?i?p?l?.?p?t?p?r?i?b?e?i?r?o?P?E?D?R?O????d?????P?,??R??
?%? ????]?Wf???qI?K????~??]?

Searching the available documentation I couldn't find any detailed
information about this subject.

Is there any solution ($variable or way to extract the domain)?

--
Best regards,

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Pedro Ribeiro
IPLNet - Rede de dados e comunicações
Instituto Politécnico de Lisboa (IPL)
Mail: mailto:pribeiro-bulk@net.ipl.pt
VoIP: sip:pribeiro@???
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-