Re: [exim] LDAP for SMTP auth not working

Top Page
Delete this message
Reply to this message
Author: Paul Muster
Date:  
To: exim-users
Subject: Re: [exim] LDAP for SMTP auth not working
Hello, Todd,

many thanks for your reply. This has been pointed out by Andreas Metzler
when working on my Debian bug report
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702116 regarding this
probelm. I changed the authenticator, but it did not held, see below.

On 07.03.2013 15:04, Todd Lyons wrote:
> On Wed, Mar 6, 2013 at 10:04 AM, Paul Muster <paul@???> wrote:
>>
>> --> /etc/exim4/conf.d/auth/40_LDAP-auth
>> plain_server:
>>   driver = plaintext
>>   public_name = PLAIN
>>   server_prompts = Username:: : Password::
>>   server_condition = ${if and{{ \
>>     !eq{}{$auth2} }{ \
>>     ldapauth{\
>>       user="uid=${quote_ldap_dn:$auth2},ou=Users,dc=BASE" \
>>       pass=${quote:$auth3} \
>>       ldap://ldap/} }} }

>
> As shown in the bottom of your post, it looks like your ldap is
> working as expected. However, I wonder if your problem is something
> more basic because your server prompts for PLAIN are different than
> mine. Here is what I have:
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> <snip>
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
> <snip>
>
> I wonder if the parsing is just failing because of wrong prompts?


plain_server_ldap:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if and{{ \
    !eq{}{$auth2} }{ \
    ldapauth{\
      user="uid=${quote_ldap_dn:$auth2},ou=Users,dc=BASIS" \
      pass=${quote:$auth3} \
      ldap://ldap/} }} }
  server_set_id = $auth2


login_server_ldap:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = ${if and{{ \
    !eq{}{$auth1} }{ \
    ldapauth{\
      user="uid=${quote_ldap_dn:$auth1},ou=Users,dc=BASIS" \
      pass=${quote:$auth2} \
      ldap://ldap/} }} }
  server_set_id = $auth1




Some debug information:

# exim -d+all -bdf -oX 2525

19:23:32 29767 SMTP<< AUTH PLAIN <auth_data>=
19:23:32 29767 plain_server_ldap authenticator server_condition:
19:23:32 29767   $auth1 =
19:23:32 29767   $auth2 = paul
19:23:32 29767   $auth3 = <password>
19:23:32 29767   $1 =
19:23:32 29767   $2 = paul
19:23:32 29767   $3 = <password>
19:23:32 29767 expanding:
19:23:32 29767    result:
19:23:32 29767 expanding: $auth2
19:23:32 29767    result: paul
19:23:32 29767 expanding: $auth2
19:23:32 29767    result: paul
19:23:32 29767 expanding: $auth3
19:23:32 29767    result: <password>
19:23:32 29767 expanding:
user="uid=${quote_ldap_dn:$auth2},ou=Users,dc=BASIS"
pass=${quote:$auth3} ldap://ldap/
19:23:32 29767    result: user="uid=paul,ou=Users,dc=BASIS"
pass="<password>" ldap://ldap/
19:23:32 29767 LDAP parameters: user=uid=paul,ou=Users,dc=BASIS
pass=<password> size=0 time=0 connect=0 dereference=0 referrals=on
19:23:32 29767 perform_ldap_search: ldapauth URL = "ldap://ldap/"
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
19:23:32 29767 after ldap_url_parse: host=ldap port=389
19:23:32 29767 ldap_initialize with URL ldap://ldap:389/
19:23:32 29767 initialized for LDAP (v3) server ldap:389
19:23:32 29767 LDAP_OPT_X_TLS_TRY set
19:23:32 29767 binding with user=uid=paul,ou=Users,dc=BASIS
password=<password>
19:23:32 29767 failed to bind the LDAP connection to server ldap:389 -
ldap_bind() returned -1
19:23:32 29767 failed to expand: ${if and{{ !eq{}{$auth2} }{
ldapauth{user="uid=${quote_ldap_dn:$auth2},ou=Users,dc=BASIS"
pass=${quote:$auth3} ldap://ldap/} }} }
19:23:32 29767    error message: failed to bind the LDAP connection to
server ldap:389 - ldap_bind() returned -1 inside "and{...}" condition
19:23:32 29767 expansion failed: failed to bind the LDAP connection to
server ldap:389 - ldap_bind() returned -1 inside "and{...}" condition
19:23:32 29767 expanding: $auth2
19:23:32 29767    result: paul
19:23:32 29767 SMTP>> 435 Unable to authenticate at present
19:23:32 29767 tls_do_write(0xb8b33840, 39)
19:23:32 29767 gnutls_record_send(SSL, 0xb8b33840, 39)
19:23:32 29767 outbytes=39
19:23:32 29767 LOG: MAIN REJECT
19:23:32 29767   plain_server_ldap authenticator failed for <client>:
435 Unable to authenticate at present (set_id=paul): failed to bind the
LDAP connection to server ldap:389 - ldap_bind() returned -1 inside
"and{...}" condition
19:23:32 29767 Calling gnutls_record_recv(0xb8b55570, 0xb8cf01a8, 4096)



On the LDAP server no connection comes in.


Thanks & greetings,

Paul