Re: [exim] authentication problem with ldap lookup and crypt…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MThomas Winterstein at <-
MHeiko Schlittermann at ->
Delete this message
Reply to this message
Author: Thomas Winterstein
Date:  
To: exim-users
Subject: Re: [exim] authentication problem with ldap lookup and crypteq
its solved.

Exim's configuration syntax can't handle spaces. The crypteq line needs
to be completely without spaces to make it work.

regards
Thomas Winterstein

On 11/21/19 11:51 AM, Thomas Winterstein wrote:
> Hello,
>
> we are trying to configure plain and login authentication using crypteq
> and LDAP lookups but came across the following problem.
>
> - if the password hash is set correctly in ldap, exim complains about
> wrong bit-length and fails
>
>> 26934 LDAP value loop userPassword:{SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 26934 search ended by ldap_result yielding 101
>> 26934 ldap_parse_result: 0
>> 26934 ldap_parse_result yielded 0: Success
>> 26934 LDAP search: returning: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 26934 lookup yielded: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 26934 crypteq: length for SHA-1 not 28 or 40: fail
>> 26934   crypted=MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>
> - if the password hash is missing the tailing '=' exim correctly
> understands the hash set in LDAP. But now it wrongfully hashes the given
> password in the exact bit-length it was complaining about when given
> from LDAP
>
>> 27061 LDAP value loop userPassword:{SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>> 27061 search ended by ldap_result yielding 101
>> 27061 ldap_parse_result: 0
>> 27061 ldap_parse_result yielded 0: Success
>> 27061 LDAP search: returning: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>> 27061 lookup yielded: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>> 27061 crypteq: using SHA1+B64 hashing
>> 27061   subject=MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 27061   crypted=MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>
>
> # ldap entry - test password starwars
> dn: uid=_mail_test,ou=users,dc=uaux,dc=de
> objectClass: inetOrgPerson
> objectClass: posixAccount
> uid: _mail_test
> userPassword:: e1NIQTF9TW5GV3F5aDhhcVVzaG5EaE1XUDhHL1pncmRRPQ==
>     or
> userPassword:: e1NIQTF9TW5GV3F5aDhhcVVzaG5EaE1XUDhHL1pncmRR
>
> # exim.conf - login authenticator
> auth_login:
>         driver = plaintext
>         public_name = LOGIN
>         server_prompts = Username:: : Password::
>         server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
>         server_condition = ${if or { \
>                 {pam{$auth1:${sg{$auth2}{:}{::}}}} \
>                 {crypteq{$auth2}{${lookup
> ldap{ldap://mailvz.rz.uni-augsburg.de/ou=users,dc=uaux,dc=de?userPassword?sub?(&(objectClass=inetorgperson)(uid=${quote_ldap:$auth1}))}
> } } } \
>                 }{yes}{no}}
>         server_set_id = $auth1
>
> regards,

--
Thomas Winterstein
postmaster@???

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] authentication problem with ldap lookup and crypteq[exim] cyrus-sasl authenticator->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)