Hi, Daniel -
Is the problem that you've forgotten to use Exim's quoting features on the
username and password when constructing the LDAP lookup?
For example the *Specification* gives examples such as this for ldapauth:
server_condition = ${if and{{ \
!eq{}{$auth1} }{ \
ldapauth{\
user="uid=${quote_ldap_dn:$auth1},ou=people,o=example.org" \
pass=${quote:$auth2} \
ldap://ldap.example.org/} }} }
And a later example in the *TLS Authenticator* section implies that an ldap
lookup should also be using quoting:
server_condition = ${if forany {$auth1} \
{!= {0} \
{${lookup ldap{ldap:///\
mailname=${quote_ldap_dn:${lc:$item}},\
ou=users,LDAP_DC?mailid} {$value}{0} \
} } }}
Cheers,
Mike B-)
On 24 May 2017 at 10:58, Daniel Betz <dbetz@???> wrote:
> Hello list,
>
> i have an problem, which has to do with the change
> https://bugs.exim.org/show_bug.cgi?id=660
>
> My plan is to reduce LDAP queries and enable an admin password for mail
> accounts.
>
> The userPassword and adminPassword fields in ldap are base64 encoded
> sha512 crypt, which can include ","
> Problem is, that they get doubled by the patch above, although i have
> tried an other seperator like : LDAP_LOOKUP_USER_PLAIN = <\n ${lookup ldap.
> but the doubling of , is hardcoded into the source.
>
> Debug Log shows this:
>
> exim[13496]: 13506 LDAP value loop userPassword:{crypt}$6$,7_X.clF$
> OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.
> jUqWL61tg1352IMSVHtdJ0FUA1akT1
> exim[13496]: 13506 lookup yielded: id="4029359"
> objectClass="qmailUser,person" [...] userPassword="{crypt}$6$,,7_X.clF$
> OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.
> jUqWL61tg1352IMSVHtdJ0FUA1akT1"
>
> Here you can see the doubling of the ,, in the lookup. Therefore
> authentification with crypteq{} will fail.
>
> It would be nice, when i can change the separator for ldap lookups, so
> that i must noch manually patch the src/lookups/ldap.c
>
>
>
> My config looks like this:
> LDAP_LOOKUP_USER_PLAIN = ${lookup ldap {\
> nettime=3 time=5 user=LDAP_USER
> pass=LDAP_PASS referrals=nofollow \
> ldapi:///LDAP_BASEDN??sub?(&(!
> (accountstatus=inactive))(|(uid=${quote_ldap:$auth2})(
> mail=${quote_ldap:$auth2})))\
> }}
> LDAP_LOOKUP_USER_LOGIN = ${lookup ldap {\
> nettime=3 time=5 user=LDAP_USER
> pass=LDAP_PASS referrals=nofollow \
> ldapi:///LDAP_BASEDN??sub?(&(!
> (accountstatus=inactive))(|(uid=${quote_ldap:$auth1})(
> mail=${quote_ldap:$auth1})))\
> }}
>
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_condition = ${if or {\
> {crypteq{$auth3}{${extract{
> userPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
> {crypteq{$auth3}{${extract{
> adminPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
> }{yes}{no}}
> server_set_id = $auth2
>
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
> server_condition = ${if or {\
> {crypteq{$auth2}{${extract{
> userPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
> {crypteq{$auth2}{${extract{
> adminPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
> }{yes}{no}}
> server_set_id = $auth1
>
>
>
> Freundliche Grüße,
>
> Daniel Betz
> System Design Engineer / Senior Systemadministration
> ___________________________________
>
> domainfactory GmbH
> Oskar-Messter-Str. 33
> 85737 Ismaning
> Germany
>
> Telefon: +49 (0)89 / 55266-364
> Telefax: +49 (0)89 / 55266-222
>
> E-Mail: dbetz@???
> Internet: www.df.eu
>
> Registergericht: Amtsgericht München
> HRB-Nummer 150294, Geschäftsführer:
> Tobias Mohr, Stephan Wolfram
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:
www.york.ac.uk/it-services
Disclaimer:
www.york.ac.uk/docs/disclaimer/email.htm
