[exim] Problems with ldap lookup and doubling comma in userP…

Inizio della pagina
Questo messaggio è parte di questo thread:
M\il thread completo ordinato per data
MM 
MMMike Brudenell at ->
Delete this message
Reply to this message
Autore: Daniel Betz
Data:  
To: exim-users@exim.org
Oggetto: [exim] Problems with ldap lookup and doubling comma in userPassword field
Hello list,

i have an problem, which has to do with the change https://bugs.exim.org/show_bug.cgi?id=660

My plan is to reduce LDAP queries and enable an admin password for mail accounts.

The userPassword and adminPassword fields in ldap are base64 encoded sha512 crypt, which can include ","
Problem is, that they get doubled by the patch above, although i have tried an other seperator like : LDAP_LOOKUP_USER_PLAIN = <\n ${lookup ldap.
but the doubling of , is hardcoded into the source.

Debug Log shows this:

exim[13496]: 13506 LDAP value loop userPassword:{crypt}$6$,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1
exim[13496]: 13506 lookup yielded: id="4029359" objectClass="qmailUser,person" [...] userPassword="{crypt}$6$,,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1"

Here you can see the doubling of the ,, in the lookup. Therefore authentification with crypteq{} will fail.

It would be nice, when i can change the separator for ldap lookups, so that i must noch manually patch the src/lookups/ldap.c 



My config looks like this:
LDAP_LOOKUP_USER_PLAIN = ${lookup ldap {\
                                nettime=3 time=5 user=LDAP_USER pass=LDAP_PASS referrals=nofollow \
                                ldapi:///LDAP_BASEDN??sub?(&(!(accountstatus=inactive))(|(uid=${quote_ldap:$auth2})(mail=${quote_ldap:$auth2})))\
                          }}
LDAP_LOOKUP_USER_LOGIN = ${lookup ldap {\
                                nettime=3 time=5 user=LDAP_USER pass=LDAP_PASS referrals=nofollow \
                                ldapi:///LDAP_BASEDN??sub?(&(!(accountstatus=inactive))(|(uid=${quote_ldap:$auth1})(mail=${quote_ldap:$auth1})))\
                          }}



plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if or {\
                                {crypteq{$auth3}{${extract{userPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
                                {crypteq{$auth3}{${extract{adminPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
                     }{yes}{no}}
  server_set_id = $auth2



login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = ${if or {\
                                {crypteq{$auth2}{${extract{userPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
                                {crypteq{$auth2}{${extract{adminPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
                     }{yes}{no}}
  server_set_id = $auth1




Freundliche Grüße,

Daniel Betz
System Design Engineer / Senior Systemadministration
___________________________________

domainfactory GmbH
Oskar-Messter-Str. 33
85737 Ismaning
Germany

Telefon:  +49 (0)89 / 55266-364
Telefax:  +49 (0)89 / 55266-222

E-Mail:   dbetz@???
Internet: www.df.eu

Registergericht: Amtsgericht München
HRB-Nummer 150294, Geschäftsführer:
Tobias Mohr, Stephan Wolfram



Questo messaggio è stato inviato alle seguenti mailing lists:
Exim-users
Informazioni sulla Mailing List | Messaggi correlati		<-Re: [exim] Retry Rules[exim] How do I disable double at sign in message-ID?->
Tahini and Hummus and Cumin Development Archives amministrato da cumin AdminsLurker (versione 2.3)