Re: [exim] Problems with ldap lookup and doubling comma in …

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Daniel Betz
Dátum:  
Címzett: Jeremy Harris, exim-users@exim.org
Tárgy: Re: [exim] Problems with ldap lookup and doubling comma in userPassword field
Hi Jeremy,

thank you for the hint, but i cant get it running with listextract.

Can you give me an example how to extract the value from the userPassword key ?
I cant get it running :( Have tried many different variants.

Config:

LDAP_LOOKUP_USER_PLAIN = ${lookup ldap {\
                                nettime=3 time=5 user=LDAP_USER pass=LDAP_PASS referrals=nofollow \
                                ldapi:///LDAP_BASEDN??sub?(&(!(accountstatus=inactive))(|(uid=${quote_ldap:$auth2})(mail=${quote_ldap:$auth2})))\
                          }}


server_condition = ${if or {\
                                {crypteq{$auth3}{${extract{userPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
                                {crypteq{$auth3}{${extract{adminPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
                     }{yes}{no}}



Log from lookup:

lookup yielded: id="4029359" objectClass="qmailUser,person" [...] userPassword="{crypt}$6$,,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1"


Regards,
Daniel

> -----Ursprüngliche Nachricht-----
> Von: Exim-users [mailto:exim-users-bounces+dbetz=df.eu@exim.org] Im
> Auftrag von Jeremy Harris
> Gesendet: Freitag, 26. Mai 2017 13:33
> An: exim-users@???
> Betreff: Re: [exim] Problems with ldap lookup and doubling comma in
> userPassword field
>
> On 24/05/17 10:58, Daniel Betz wrote:
> > i have an problem, which has to do with the change
> > https://bugs.exim.org/show_bug.cgi?id=660
> >
> > My plan is to reduce LDAP queries and enable an admin password for mail
> accounts.
> >
> > The userPassword and adminPassword fields in ldap are base64 encoded
> sha512 crypt, which can include ","
> > Problem is, that they get doubled by the patch above, although i have tried
> an other seperator like : LDAP_LOOKUP_USER_PLAIN = <\n ${lookup ldap.
> > but the doubling of , is hardcoded into the source.
> >
> > Debug Log shows this:
> >
> > exim[13496]: 13506 LDAP value loop
> >
> userPassword:{crypt}$6$,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjU
> tLb
> > lOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1
> > exim[13496]: 13506 lookup yielded: id="4029359"
> objectClass="qmailUser,person" [...]
> userPassword="{crypt}$6$,,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNd
> jUtLblOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1"
> >
> > Here you can see the doubling of the ,, in the lookup. Therefore
> authentification with crypteq{} will fail.
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-
> file_and_database_lookups.html#SECID71
>
> "The listextract operator should be used to pick out individual values of
> attributes, even when only a single value is expected."
>
> --
> Cheers,
> Jeremy
>


> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/