[exim-dev] [Bug 1273] `ldapauth` fails when TLS is enabled

Top Page
Delete this message
Reply to this message
Author: Alexander Zagrebin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1273] `ldapauth` fails when TLS is enabled
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1273




--- Comment #3 from Alexander Zagrebin <alexz@???> 2012-07-23 07:30:54 ---
(In reply to comment #2)
> Which LDAP server are you using?


openldap 2.4.31

> The code change you use says to not use TLS if already *authenticated* to the
> server; that may be a decent approximation, while the ldap_* options are not
> expanded, but I'm reluctant to use it as-is because it means that if those
> options become expanded, a configuration which allows anonymous binds without
> TLS but is supposed to use TLS for an authenticated bind would avoid TLS and
> this would then become a security bug.


Hm-m-m. lcp->bound will be set to TRUE after any successful bind, including the
anonymous (not authenticated) bind. So the patch prevents starting of TLS if we
are already successfully connected to the server (it's a case when exim uses
cached connection).
When looking in the cache, exim checks an IP address and corresponding port
only and not checks any options.
So, imho, it is impossible to have two connections (unprotected and protected
via TLS) to the same host/port in the same time.

> Could you include a debug trace showing the lookups failing for you, with
> sensitive data anonymised? I'm not in a situation to set up a decent test this
> weekend to replicate myself.


The log is attached.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email