[exim] LDAP for SMTP auth not working

Top Page
Delete this message
Reply to this message
Author: Paul Muster
Date:  
To: exim-users
Subject: [exim] LDAP for SMTP auth not working
Hello, Exim-Users,

I want to use LDAP for SMTP authentication.

The second box on
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_plaintext_authenticator.html#SECID173
shows an example which I customized for my environment:

--> /etc/exim4/conf.d/auth/40_LDAP-auth
plain_server:
  driver = plaintext
  public_name = PLAIN
  server_prompts = Username:: : Password::
  server_condition = ${if and{{ \
    !eq{}{$auth2} }{ \
    ldapauth{\
      user="uid=${quote_ldap_dn:$auth2},ou=Users,dc=BASE" \
      pass=${quote:$auth3} \
      ldap://ldap/} }} }


"ldap" is my LDAP server and 'telnet ldap 389' on mailserver
(192.168.1.4) shows that *there is no packet filter between*:

Mar 2 21:20:03 ldap slapd[9942]: conn=1113 fd=43 ACCEPT from
IP=192.168.1.4:60401 (IP=0.0.0.0:389)
Mar 2 21:21:25 ldap slapd[9942]: conn=1113 fd=43 closed (connection lost)

*When delivering to Exim with SMTP auth* I get this in Exim's logs:

2013-03-02 20:52:49 plain_server authenticator failed for <client>:
435 Unable to authenticate at present (set_id=paul): failed to bind the
LDAP connection to server ldap:389 - ldap_bind() returned -1 inside
"and{...}" condition

*The LDAP server does not see any incoming connection from mailserver.*

I tried removing "and{{" clause, that changed Exim's log entry:

2013-02-20 23:10:00 plain_server authenticator failed for <client>: 435
Unable to authenticate at present (set_id=paul): failed to bind the LDAP
connection to server ldap:389 - ldap_bind() returned -1

Also adding a return code in server_condition...
               ldap://ldap/} }} {yes} {no} }
... did not help.



In the meantime I'm of the opinion that there must be something defect
in Exim's LDAP functionality...


Some additional information:

# exim -d -be '${if
ldapauth{user="uid=${quote_ldap_dn:paul},ou=Users,dc=BASIS"
pass=${quote:geheim} ldap://ldap/}}'

shows:

* with existing user and wrong password:

Mar 4 18:28:06 ldap slapd[9942]: conn=5292 fd=70 ACCEPT from
IP=192.168.1.4:37312 (IP=0.0.0.0:389)
Mar 4 18:28:06 ldap slapd[9942]: conn=5292 op=0 BIND
dn="uid=paul,ou=Users,dc=BASIS" method=128
Mar 4 18:28:06 ldap slapd[9942]: conn=5292 op=0 RESULT tag=97 err=49 text=
Mar 4 18:28:06 ldap slapd[9942]: conn=5292 op=1 UNBIND
Mar 4 18:28:06 ldap slapd[9942]: conn=5292 fd=70 closed

Exim version 4.80 uid=0 gid=0 pid=14864 D=fbb95cfd
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.7.2]
Library version: GnuTLS: Compile: 2.12.20
                         Runtime: 2.12.20
Library version: Cyrus SASL: Compile: 2.1.25
                             Runtime: 2.1.25 [Cyrus SASL]
Library version: PCRE: Compile: 8.31
                       Runtime: 8.30 2012-02-04
Total 19 lookups
Library version: MySQL: Compile: 5.5.28 [(Debian)]
                        Runtime: 5.5.28
Library version: SQLite: Compile: 3.7.15.1
                         Runtime: 3.7.13
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
changed uid/gid: -C, -D, -be or -bf forces real uid
  uid=0 gid=0 pid=14864
  auxiliary group list: 0
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
changed uid/gid: calling tls_validate_require_cipher
  uid=104 gid=106 pid=14865
  auxiliary group list: 0
tls_validate_require_cipher child 14865 ended: status=0x0
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00612001
trusted user
admin user
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root@???
LDAP parameters: user=uid=paul,ou=Users,dc=BASIS pass=geheim size=0
time=0 connect=0 dereference=0 referrals=on
perform_ldap_search: ldapauth URL = "ldap://ldap/" server=NULL port=0
sizelimit=0 timelimit=0 tcplimit=0
after ldap_url_parse: host=ldap port=389
ldap_initialize with URL ldap://ldap:389/
initialized for LDAP (v3) server ldap:389
LDAP_OPT_X_TLS_TRY set
binding with user=uid=paul,ou=Users,dc=BASIS password=geheim
Invalid credentials: ldapauth returns FAIL


search_tidyup called
unbind LDAP connection to ldap:389
>>>>>>>>>>>>>>>> Exim pid=14864 terminating with rc=0 >>>>>>>>>>>>>>>>



* with existing user and right password:

Mar 4 18:29:48 ldap slapd[9942]: conn=5293 fd=70 ACCEPT from
IP=192.168.1.4:37313 (IP=0.0.0.0:389)
Mar 4 18:29:48 ldap slapd[9942]: conn=5293 op=0 BIND
dn="uid=paul,ou=Users,dc=BASIS" method=128
Mar 4 18:29:48 ldap slapd[9942]: conn=5293 op=0 BIND
dn="uid=paul,ou=Users,dc=BASIS" mech=SIMPLE ssf=0
Mar 4 18:29:48 ldap slapd[9942]: conn=5293 op=0 RESULT tag=97 err=0 text=
Mar 4 18:29:48 ldap slapd[9942]: conn=5293 op=1 UNBIND

Exim version 4.80 uid=0 gid=0 pid=14867 D=fbb95cfd
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.7.2]
Library version: GnuTLS: Compile: 2.12.20
                         Runtime: 2.12.20
Library version: Cyrus SASL: Compile: 2.1.25
                             Runtime: 2.1.25 [Cyrus SASL]
Library version: PCRE: Compile: 8.31
                       Runtime: 8.30 2012-02-04
Total 19 lookups
Library version: MySQL: Compile: 5.5.28 [(Debian)]
                        Runtime: 5.5.28
Library version: SQLite: Compile: 3.7.15.1
                         Runtime: 3.7.13
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
changed uid/gid: -C, -D, -be or -bf forces real uid
  uid=0 gid=0 pid=14867
  auxiliary group list: 0
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
changed uid/gid: calling tls_validate_require_cipher
  uid=104 gid=106 pid=14870
  auxiliary group list: 0
tls_validate_require_cipher child 14870 ended: status=0x0
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00612001
trusted user
admin user
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root@???
LDAP parameters: user=uid=paul,ou=Users,dc=BASIS pass=<password> size=0
time=0 connect=0 dereference=0 referrals=on
perform_ldap_search: ldapauth URL = "ldap://ldap/" server=NULL port=0
sizelimit=0 timelimit=0 tcplimit=0
after ldap_url_parse: host=ldap port=389
ldap_initialize with URL ldap://ldap:389/
initialized for LDAP (v3) server ldap:389
LDAP_OPT_X_TLS_TRY set
binding with user=uid=paul,ou=Users,dc=BASIS password=<password>
Bind succeeded: ldapauth returns OK
true
search_tidyup called
unbind LDAP connection to ldap:389

>>>>>>>>>>>>>>>> Exim pid=14867 terminating with rc=0 >>>>>>>>>>>>>>>>



* as user Debian-exim it works, too:

Mar 4 18:38:41 ldap slapd[9942]: conn=5309 fd=70 ACCEPT from
IP=192.168.1.4:37333 (IP=0.0.0.0:389)
Mar 4 18:38:41 ldap slapd[9942]: conn=5309 op=0 BIND
dn="uid=paul,ou=Users,dc=BASIS" method=128
Mar 4 18:38:41 ldap slapd[9942]: conn=5309 op=0 BIND
dn="uid=paul,ou=Users,dc=BASIS" mech=SIMPLE ssf=0
Mar 4 18:38:41 ldap slapd[9942]: conn=5309 op=0 RESULT tag=97 err=0 text=
Mar 4 18:38:41 ldap slapd[9942]: conn=5309 op=1 UNBIND
Mar 4 18:38:41 ldap slapd[9942]: conn=5309 fd=70 closed

Exim version 4.80 uid=104 gid=106 pid=15501 D=fbb95cfd
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.7.2]
Library version: GnuTLS: Compile: 2.12.20
                         Runtime: 2.12.20
Library version: Cyrus SASL: Compile: 2.1.25
                             Runtime: 2.1.25 [Cyrus SASL]
Library version: PCRE: Compile: 8.31
                       Runtime: 8.30 2012-02-04
Total 19 lookups
Library version: MySQL: Compile: 5.5.28 [(Debian)]
                        Runtime: 5.5.28
Library version: SQLite: Compile: 3.7.15.1
                         Runtime: 3.7.13
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
changed uid/gid: -C, -D, -be or -bf forces real uid
  uid=104 gid=106 pid=15501
  auxiliary group list: 1 106 109
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
tls_validate_require_cipher child 15502 ended: status=0x0
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00612001
LOG: MAIN PANIC
  exim user lost privilege for using -D option
trusted user
admin user
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "" extracted from gecos field ""
originator: uid=104 gid=106 login=Debian-exim name=
sender address = Debian-exim@???
LDAP parameters: user=uid=paul,ou=Users,dc=BASIS pass=<password> size=0
time=0 connect=0 dereference=0 referrals=on
perform_ldap_search: ldapauth URL = "ldap://ldap/" server=NULL port=0
sizelimit=0 timelimit=0 tcplimit=0
after ldap_url_parse: host=ldap port=389
ldap_initialize with URL ldap://ldap:389/
initialized for LDAP (v3) server ldap:389
LDAP_OPT_X_TLS_TRY set
binding with user=uid=paul,ou=Users,dc=BASIS password=<password>
Bind succeeded: ldapauth returns OK
true
search_tidyup called
unbind LDAP connection to ldap:389

>>>>>>>>>>>>>>>> Exim pid=15501 terminating with rc=0 >>>>>>>>>>>>>>>>



What's wrong with my Exim or my configuration?


Thanks for any help!


Greetings, Paul