Re: [exim] PLAIN authenticator that checks against two data …

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Mike Brudenell
CC: Exim Users
Subject: Re: [exim] PLAIN authenticator that checks against two data sources
I've not been following this in detail, but are you not asking for
something analogous to the configuration described in this:-
    https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPamAndPasswords


Also, if there are multiple auth possibilities I think this can also be
expressed within PAM.

    Nigel.



> Mike Brudenell via Exim-users <mailto:exim-users@exim.org>
> 9 August 2017 at 12:58
> Hi,
>
> I'm debugging this again using our Ubuntu packaged Exim version 4.86_2 #1,
> and trying to work out what's wrong with my configuration by going back to
> a really simple setup that will always fail:
>
> server_condition = ${if eq{0}{1} {true} {false}}
>
> This correctly gives rise to the SMTP response "535 Incorrect
> authentication data".
>
> I now replace the eq condition with an ldapauth condition:
>
> server_condition = ${if ldapauth \
> {user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
> \
> pass=${quote:$auth2} \
> ldap://ldap.york.ac.uk/} \
> {true} {false}}
>
> In the *Specification* the description of the ldapauth expansion condition
> says this:
>
> The condition is true if the password is not empty, and the user name and
> password are accepted by the LDAP server.
>
>
> And the Exim book says this (emphasis mine) when describing LDAP
> authentication in section 20.7.7:
>
> The condition is true if the user name and password are accepted by the
> LDAP server, *and false otherwise*.
>
>
> But when I try to authenticate using a bad username and password I don't
> get the 535 SMTP response but "435 Unable to authenticate at present" and
> the logs show a "failed to expand" error:
>
> 12:36:39 23140 LOGIN authenticator server_condition:
> 12:36:39 23140 $auth1 = baduser
> 12:36:39 23140 $auth2 = badpassword
> 12:36:39 23140 $1 = baduser
> 12:36:39 23140 $2 = badpassword
> 12:36:39 23140 expanding: $auth1
> 12:36:39 23140 result: baduser
> 12:36:39 23140 expanding: $auth2
> 12:36:39 23140 result: badpassword
> 12:36:39 23140 expanding: user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
> pass=${quote:$auth2} ldap://ldap.york.ac.uk/
> 12:36:39 23140 result: user="uid=baduser,ou=blah,dc=uk" pass=badpassword
> ldap://ldap.york.ac.uk/
> 12:36:39 23140 LDAP parameters: user=uid=baduser,ou=blah,dc=uk
> pass=badpassword size=0 time=0 connect=0 dereference=0 referrals=on
> 12:36:39 23140 perform_ldap_search: ldapauth URL =
> "ldap://ldap.york.ac.uk/"
> server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
> 12:36:39 23140 after ldap_url_parse: host=ldap.york.ac.uk port=389
> 12:36:39 23140 ldap_initialize with URL ldap://ldap.york.ac.uk:389/
> 12:36:39 23140 initialized for LDAP (v3) server ldap.york.ac.uk:389
> 12:36:39 23140 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
> 12:36:39 23140 binding with user=uid=baduser,ou=blah,dc=uk
> password=badpassword
> 12:36:39 23140 failed to bind the LDAP connection to server
> ldap.york.ac.uk:389 - LDAP error 32: No such object
> 12:36:39 23140 failed to expand: ${if ldapauth
> {user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
> pass=${quote:$auth2} ldap://ldap.york.ac.uk/} {true} {false}}
> 12:36:39 23140 error message: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object
> 12:36:39 23140 expansion failed: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object
> 12:36:39 23140 expanding: $auth1
> 12:36:39 23140 result: baduser
> 12:36:39 23140 SMTP>> 435 Unable to authenticate at present
>
> This suggests that ldapauth is not returning false as expected/documented,
> but instead causing an expansion failure that then cascades back and ends
> up triggering the wrong SMTP response.
>
> - Is this a bug in Exim, or am I missing/overlooking something?
> - Is there a way of trapping the expansion error and interpreting it to
> false so the expression works properly?
>
> With many thanks,
> Mike B-)
>
> Mike Brudenell via Exim-users <mailto:exim-users@exim.org>
> 8 August 2017 at 17:53
> Hi!
>
> I have tried so many ways to get this working and have used Exim 4.86.2 in
> debug mode on Ubuntu until I'm going crackers but am stuck…
>
> I'm trying to write a LOGIN authenticator using the plaintext driver that
> checks two sources for authentication details:
>
> 1. First it checks a file for the username in $auth1. If present in the
> file the password from the entry in the file is checked against the
> supplied password in $auth2. Success/failure of the authentication is
> determined by whether the passwords match.
>
> If the username is not present in the file, then…
>
> 2. The authenticator then checks against LDAP by attempting to bind
> using ldapauth to it. Success/failure of the authentication is determined
> by whether bind succeeds or not.
>
> I have got the "check the file first then LDAP" operating (and have
> done in
> many different ways of writing it!) but am having problems getting the
> correct final SMTP response when LDAP fails. In particular I'm getting
> Exim
> returning
>
> 435 Unable to authenticate at present
>
> instead of
>
> 535 Incorrect authentication data
>
>
> The problem appears to be that when the username/password pair are wrong
> then as expected LDAP fails to bind (obviously!) but in the code I've
> written this causes a string expansion failure, which eventually leads
> back
> to the 435 SMTP response.
>
> I'm trying hard to get a forced failure to be generated instead — in this
> iteration by putting the ldapauth within an if along with a "fail" in
> string2 — which I know (from other tests) will give the 535 SMTP response,
> but it's flatly refusing to do so; I keep getting the string expansion
> error. (I guess it's because the forced-failure happens if the if's
> expression evaluates to false, whereas in this case it's having its own
> error.)
>
> Can someone help me either debug this, or come up with a different way of
> writing it?
>
> Here's my authenticator with apologies: you might need a wide window to
> cope with the wrapped lines:
>
> LOGIN:
> driver = plaintext
> server_set_id = $auth1
> server_prompts = <| Username: | Password:
>
> server_condition = ${if and{ \
> { def:auth1 } \
> { bool_lax{ \
> ${lookup {$auth1} lsearch
> {/etc/exim4/cfg.d/passwords-for-auth-smtp} \
> { ${if crypteq {$auth2}
> {\{sha1\}$value}} } \
> { ${if ldapauth \
>
> {user="uid=${quote_ldap_dn:$auth1},ou=people,ou=blah,dc=york,dc=ac,dc=uk"
> \
> pass=${quote:$auth2}
> \
> nettime=10 \
> time=7 \
> ldap://
> ldap.york.ac.uk/} \
> {yes} \
> fail }} \
> } \
> }} \
> }}
>
> server_advertise_condition = ${if and{ \
> {def:tls_in_cipher} \
> {!={$received_port}{25}} \
> } }
>
>
> And here's the relevant extract from an "exim -bd -v -d+all" run when I
> attempt to authenticate using a bad username and password:
>
> 17:40:32 4741 LOGIN authenticator server_condition:
> 17:40:32 4741 $auth1 = badusername
> 17:40:32 4741 $auth2 = badpassword
> 17:40:32 4741 $1 = badusername
> 17:40:32 4741 $2 = badpassword
> 17:40:32 4741 expanding: $auth1
> 17:40:32 4741 result: badusername
> 17:40:32 4741 expanding: /etc/exim4/cfg.d/passwords-for-auth-smtp
> 17:40:32 4741 result: /etc/exim4/cfg.d/passwords-for-auth-smtp
> 17:40:32 4741 search_open: lsearch
> "/etc/exim4/cfg.d/passwords-for-auth-smtp"
> 17:40:32 4741 search_find: file="/etc/exim4/cfg.d/passwords-for-auth-smtp"
> 17:40:32 4741 key="badusername" partial=-1 affix=NULL starflags=0
> 17:40:32 4741 LRU list:
> 17:40:32 4741 :/etc/exim4/cfg.d/passwords-for-auth-smtp
> 17:40:32 4741 End
> 17:40:32 4741 internal_search_find:
> file="/etc/exim4/cfg.d/passwords-for-auth-smtp"
> 17:40:32 4741 type=lsearch key="badusername"
> 17:40:32 4741 file lookup required for badusername
> 17:40:32 4741 in /etc/exim4/cfg.d/passwords-for-auth-smtp
> 17:40:32 4741 lookup failed
> 17:40:32 4741 expanding: $auth2
> 17:40:32 4741 result: badpassword
> 17:40:32 4741 skipping: result is not used
> 17:40:32 4741 expanding: \{sha1\}$value
> 17:40:32 4741 result: {sha1}
> 17:40:32 4741 skipping: result is not used
> 17:40:32 4741 condition: crypteq {$auth2} {\{sha1\}$value}
> 17:40:32 4741 result: false
> 17:40:32 4741 expanding: ${if crypteq {$auth2} {\{sha1\}$value}}
> 17:40:32 4741 result:
> 17:40:32 4741 skipping: result is not used
> 17:40:32 4741 expanding: $auth1
> 17:40:32 4741 result: badusername
> 17:40:32 4741 expanding: $auth2
> 17:40:32 4741 result: badpassword
> 17:40:32 4741 expanding:
> user="uid=${quote_ldap_dn:$auth1},ou=people,ou=blah,dc=york,dc=ac,dc=uk"
> pass=${quote:$auth2} nettime=10 time=7 ldap://ldap.york.ac.uk/
> 17:40:32 4741 result:
> user="uid=badusername,ou=people,ou=blah,dc=york,dc=ac,dc=uk"
> pass=badpassword nettime=10 time=7 ldap://ldap.york.ac.uk/
> 17:40:32 4741 LDAP parameters:
> user=uid=badusername,ou=people,blah,dc=york,dc=ac,dc=uk pass=badpassword
> size=0 time=7 connect=10 dereference=0 referrals=on
> 17:40:32 4741 perform_ldap_search: ldapauth URL =
> "ldap://ldap.york.ac.uk/"
> server=NULL port=0 sizelimit=0 timelimit=7 tcplimit=10
> 17:40:32 4741 after ldap_url_parse: host=ldap.york.ac.uk port=389
> 17:40:32 4741 ldap_initialize with URL ldap://ldap.york.ac.uk:389/
> 17:40:32 4741 initialized for LDAP (v3) server ldap.york.ac.uk:389
> 17:40:32 4741 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
> 17:40:32 4741 binding with
> user=uid=badusername,ou=people,blah,dc=york,dc=ac,dc=uk
> password=badpassword
> 17:40:32 4741 failed to bind the LDAP connection to server
> ldap.york.ac.uk:389 - LDAP error 32: No such object
> 17:40:32 4741 failed to expand: ${if ldapauth
> {user="uid=${quote_ldap_dn:$auth1},ou=people,blah,dc=york,dc=ac,dc=uk"
> pass=${quote:$auth2} nettime=10 time=7 ldap://ldap.york.ac.uk/} {yes} fail
> }} } }} }}
> 17:40:32 4741 error message: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object
> 17:40:32 4741 failed to expand: ${lookup {$auth1} lsearch
> {/etc/exim4/cfg.d/passwords-for-auth-smtp} { ${if crypteq {$auth2}
> {\{sha1\}$value}} } { ${if ldapauth
> {user="uid=${quote_ldap_dn:$auth1},ou=people,blah,dc=york,dc=ac,dc=uk"
> pass=${quote:$auth2} nettime=10 time=7 ldap://ldap.york.ac.uk/} {yes} fail
> }} } }} }}
> 17:40:32 4741 error message: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object
> 17:40:32 4741 failed to expand: ${if and{ { def:auth1 } { bool_lax{
> ${lookup {$auth1} lsearch {/etc/exim4/cfg.d/passwords-for-auth-smtp} {
> ${if
> crypteq {$auth2} {\{sha1\}$value}} } { ${if ldapauth
> {user="uid=${quote_ldap_dn:$auth1},ou=people,blah,dc=york,dc=ac,dc=uk"
> pass=${quote:$auth2} nettime=10 time=7 ldap://ldap.york.ac.uk/} {yes} fail
> }} } }} }}
> 17:40:32 4741 error message: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object inside
> "and{...}" condition
> 17:40:32 4741 expansion failed: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object inside
> "and{...}" condition
> 17:40:32 4741 expanding: $auth1
> 17:40:32 4741 result: badusername
> 17:40:32 4741 SMTP>> 435 Unable to authenticate at present
>
>
> With many thanks for anything you can do to help save my sanity!
> Mike B-)
>


--

[ Nigel Metheringham ------------------------------ nigel@??? ] 
[                 Ellipsis Intangible Technologies                  ]