[exim] authentication problem with ldap lookup and crypteq

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Thomas Winterstein
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: [exim] authentication problem with ldap lookup and crypteq
Hello,

we are trying to configure plain and login authentication using crypteq
and LDAP lookups but came across the following problem.

- if the password hash is set correctly in ldap, exim complains about
wrong bit-length and fails

> 26934 LDAP value loop userPassword:{SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
> 26934 search ended by ldap_result yielding 101
> 26934 ldap_parse_result: 0
> 26934 ldap_parse_result yielded 0: Success
> 26934 LDAP search: returning: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
> 26934 lookup yielded: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
> 26934 crypteq: length for SHA-1 not 28 or 40: fail
> 26934 crypted=MnFWqyh8aqUshnDhMWP8G/ZgrdQ=


- if the password hash is missing the tailing '=' exim correctly
understands the hash set in LDAP. But now it wrongfully hashes the given
password in the exact bit-length it was complaining about when given
from LDAP

> 27061 LDAP value loop userPassword:{SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
> 27061 search ended by ldap_result yielding 101
> 27061 ldap_parse_result: 0
> 27061 ldap_parse_result yielded 0: Success
> 27061 LDAP search: returning: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
> 27061 lookup yielded: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
> 27061 crypteq: using SHA1+B64 hashing
> 27061 subject=MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
> 27061 crypted=MnFWqyh8aqUshnDhMWP8G/ZgrdQ



# ldap entry - test password starwars
dn: uid=_mail_test,ou=users,dc=uaux,dc=de
objectClass: inetOrgPerson
objectClass: posixAccount
uid: _mail_test
userPassword:: e1NIQTF9TW5GV3F5aDhhcVVzaG5EaE1XUDhHL1pncmRRPQ==
    or
userPassword:: e1NIQTF9TW5GV3F5aDhhcVVzaG5EaE1XUDhHL1pncmRR


# exim.conf - login authenticator
auth_login:
         driver = plaintext
         public_name = LOGIN
         server_prompts = Username:: : Password::
         server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
         server_condition = ${if or { \
                 {pam{$auth1:${sg{$auth2}{:}{::}}}} \
                 {crypteq{$auth2}{${lookup 
ldap{ldap://mailvz.rz.uni-augsburg.de/ou=users,dc=uaux,dc=de?userPassword?sub?(&(objectClass=inetorgperson)(uid=${quote_ldap:$auth1}))} 
} } } \
                 }{yes}{no}}
         server_set_id = $auth1


regards,
--
Thomas Winterstein
postmaster@???