[exim] Need some help with Exim LDAP lookups, please?

Top Page
Delete this message
Reply to this message
Author: Gary Perkins
Date:  
To: Exim-Users Mailing List
Subject: [exim] Need some help with Exim LDAP lookups, please?
Hi,

I'm wondering if anyone has had this happen before?

I'm setting up a mail server and I'd like an exim router to run lookups to an ldap server, where we have user credentials and mail aliases/groups stored. I already have dovecot authenticating against the ldap server and I can also successfully run 'ldapsearch' queries. So the LDAP server is working from the mail server. It works using either ldap:// or ldaps://.

This is what I'm trying to test an exim LDAP lookup:

exim -d-all+lookup -be <<'EOF'
${lookup ldap {user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' pass='somepassword' ldap:///cn=groups,cn=accounts,dc=company,dc=co,dc=uk?member?sub?(cn=everyone)}}
EOF

With that, I get the following output:
========================================================================================================================
Exim version 4.87 uid=0 gid=0 pid=31229 D=10000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() PAM Expand_dlfunc GnuTLS Content_Scanning Old_Demime DKIM DNSSEC Event OCSP PRDR
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz dnsdb ldap ldapdn ldapm
Authenticators: dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.9.2]
Library version: GnuTLS: Compile: 3.3.8
                         Runtime: 3.3.8
Library version: PCRE: Compile: 8.35
                       Runtime: 8.35 2014-04-04
Total 11 lookups
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
configuration file is /etc/exim4/exim4.conf
log selectors = 00000ffc 10332001
trusted user
admin user

> search_open: ldap "NULL"

search_find: file="NULL"
key="user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' pass='somepassword' ldap://ipa0.company.co.uk:389/cn=groups,cn=accounts,dc=company,dc=co,dc=uk?" partial=-1 affix=NULL starflags=0
LRU list:
internal_search_find: file="NULL"
type=ldap key="user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' pass='somepassword' ldap://ipa0.company.co.uk:389/cn=groups,cn=accounts,dc=company,dc=co,dc=uk?"
database lookup required for user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' pass='somepassword' ldap://ipa0.company.co.uk:389/cn=groups,cn=accounts,dc=company,dc=co,dc=uk?
LDAP parameters: user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' pass='somepassword' size=0 time=0 connect=0 dereference=0 referrals=on
perform_ldap_search: ldap URL = "ldap://ipa0.company.co.uk:389/cn=groups,cn=accounts,dc=company,dc=co,dc=uk?" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
after ldap_url_parse: host=ipa0.company.co.uk port=389
ldap_initialize with URL ldap://ipa0.company.co.uk:389/
initialized for LDAP (v3) server ipa0.company.co.uk:389
LDAP_OPT_X_TLS_TRY set due to ldap:// URI
binding with user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' password='somepassword'
failed to bind the LDAP connection to server ipa0.company.co.uk:389 - LDAP error 32: No such object
lookup deferred: failed to bind the LDAP connection to server ipa0.company.co.uk:389 - LDAP error 32: No such object
Failed: lookup of "user='uid=ldapauth,cn=users,cn=accounts,dc=company,dc=co,dc=uk' pass='somepassword' ldap://ipa0.company.co.uk:389/cn=groups,cn=accounts,dc=company,dc=co,dc=uk?" gave DEFER: failed to bind the LDAP connection to server ipa0.company.co.uk:389 - LDAP error 32: No such object
>

search_tidyup called
unbind LDAP connection to ipa0.company.co.uk:389
>>>>>>>>>>>>>>>> Exim pid=31229 terminating with rc=0 >>>>>>>>>>>>>>>>

========================================================================================================================

It's this error in particular, that has got me scratching my head. The actual LDAP query isn't fully formed, but it should at least bind with those credentials, as I can do with ldapsearch and as dovecot already does.

I've tried running exim under strace, but that didn't provide any extra clues. The next step might be to poke at the source.

Any help would be much appreciated.

Best Regards,

Gary Perkins.


-- 
Gary Perkins, Systems Administrator                      Codethink Ltd.