Re: [exim] Problems with ldap lookup and doubling comma in …

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Mike Brudenell
Dátum:  
Címzett: exim-users@exim.org
Tárgy: Re: [exim] Problems with ldap lookup and doubling comma in userPassword field
Hi, Daniel -

Is the problem that you've forgotten to use Exim's quoting features on the
username and password when constructing the LDAP lookup?

For example the *Specification* gives examples such as this for ldapauth:

server_condition = ${if and{{ \
      !eq{}{$auth1} }{ \
      ldapauth{\
        user="uid=${quote_ldap_dn:$auth1},ou=people,o=example.org" \
        pass=${quote:$auth2} \
        ldap://ldap.example.org/} }} }


And a later example in the *TLS Authenticator* section implies that an ldap
lookup should also be using quoting:

server_condition =  ${if forany {$auth1} \
                          {!= {0} \
                              {${lookup ldap{ldap:///\
                       mailname=${quote_ldap_dn:${lc:$item}},\
                       ou=users,LDAP_DC?mailid} {$value}{0} \
                     } } }}


Cheers,
Mike B-)



On 24 May 2017 at 10:58, Daniel Betz <dbetz@???> wrote:

> Hello list,
>
> i have an problem, which has to do with the change
> https://bugs.exim.org/show_bug.cgi?id=660
>
> My plan is to reduce LDAP queries and enable an admin password for mail
> accounts.
>
> The userPassword and adminPassword fields in ldap are base64 encoded
> sha512 crypt, which can include ","
> Problem is, that they get doubled by the patch above, although i have
> tried an other seperator like : LDAP_LOOKUP_USER_PLAIN = <\n ${lookup ldap.
> but the doubling of , is hardcoded into the source.
>
> Debug Log shows this:
>
> exim[13496]: 13506 LDAP value loop userPassword:{crypt}$6$,7_X.clF$
> OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.
> jUqWL61tg1352IMSVHtdJ0FUA1akT1
> exim[13496]: 13506 lookup yielded: id="4029359"
> objectClass="qmailUser,person" [...] userPassword="{crypt}$6$,,7_X.clF$
> OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.
> jUqWL61tg1352IMSVHtdJ0FUA1akT1"
>
> Here you can see the doubling of the ,, in the lookup. Therefore
> authentification with crypteq{} will fail.
>
> It would be nice, when i can change the separator for ldap lookups, so
> that i must noch manually patch the src/lookups/ldap.c
>
>
>
> My config looks like this:
> LDAP_LOOKUP_USER_PLAIN = ${lookup ldap {\
>                                 nettime=3 time=5 user=LDAP_USER
> pass=LDAP_PASS referrals=nofollow \
>                                 ldapi:///LDAP_BASEDN??sub?(&(!
> (accountstatus=inactive))(|(uid=${quote_ldap:$auth2})(
> mail=${quote_ldap:$auth2})))\
>                           }}
> LDAP_LOOKUP_USER_LOGIN = ${lookup ldap {\
>                                 nettime=3 time=5 user=LDAP_USER
> pass=LDAP_PASS referrals=nofollow \
>                                 ldapi:///LDAP_BASEDN??sub?(&(!
> (accountstatus=inactive))(|(uid=${quote_ldap:$auth1})(
> mail=${quote_ldap:$auth1})))\
>                           }}

>
>
> plain:
>   driver = plaintext
>   public_name = PLAIN
>   server_prompts = :
>   server_condition = ${if or {\
>                                 {crypteq{$auth3}{${extract{
> userPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
>                                 {crypteq{$auth3}{${extract{
> adminPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
>                      }{yes}{no}}
>   server_set_id = $auth2

>
>
> login:
>   driver = plaintext
>   public_name = LOGIN
>   server_prompts = Username:: : Password::
>   server_condition = ${if or {\
>                                 {crypteq{$auth2}{${extract{
> userPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
>                                 {crypteq{$auth2}{${extract{
> adminPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
>                      }{yes}{no}}
>   server_set_id = $auth1

>
>
>
> Freundliche Grüße,
>
> Daniel Betz
> System Design Engineer / Senior Systemadministration
> ___________________________________
>
> domainfactory GmbH
> Oskar-Messter-Str. 33
> 85737 Ismaning
> Germany
>
> Telefon: +49 (0)89 / 55266-364
> Telefax: +49 (0)89 / 55266-222
>
> E-Mail: dbetz@???
> Internet: www.df.eu
>
> Registergericht: Amtsgericht München
> HRB-Nummer 150294, Geschäftsführer:
> Tobias Mohr, Stephan Wolfram
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm