On 2012-08-26 at 15:23 +0200, Meinhard Schneider wrote:
> ldapauth \
> { \
> user="uid=${quote_ldap_dn:$auth2},cn=users,dc=XXX,dc=de" \
> pass=${quote_ldap:$auth3} \
> ldap://xx.xx.xx.xx/ \
> } \
> If this happend, Exim refuses to authenticate this user. I tried this by hand -
> I have to change the password hashing algo back to MD5 and everthing is working
> again. However - all other authentication via pam.d works fine with SSHA.
>
> I tried to figure out if there are known flaws with Exim's ldapauth vs. LDAP
> SSHA, but google don't help me. Any ideas what I'm doing wrong?
>
> I am using Debian Testing with Exim 4.80 and slapd 2.4.31.
Exim does not know or care about how the password is hashed in LDAP; the
ldapauth method tests if the connection can be authenticated, using the
LDAP client libraries, and how that authentication is managed is an
internal issue. In practice, I don't think Exim does anything specific
to support SASL auth, so it's going to be simple bind.
I'd check if the slapd which Exim is talking to is updated to the same
level as the slapd which takes the updates, and if the LDAP libraries
which Exim is linked against have also been updated.
(It seems that "ldd" is the only way to check that; I _think_ that when
I added all the version reporting stuff for Exim's library dependencies,
I didn't see an API call to extract the _runtime_ library version, so
skipped LDAP.)
-Phil
