Autor: Thomas Winterstein
Data:
Para: exim-users
Assunto: Re: [exim] authentication problem with ldap lookup and crypteq
its solved.
Exim's configuration syntax can't handle spaces. The crypteq line needs
to be completely without spaces to make it work.
regards
Thomas Winterstein
On 11/21/19 11:51 AM, Thomas Winterstein wrote:
> Hello,
>
> we are trying to configure plain and login authentication using crypteq
> and LDAP lookups but came across the following problem.
>
> - if the password hash is set correctly in ldap, exim complains about
> wrong bit-length and fails
>
>> 26934 LDAP value loop userPassword:{SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 26934 search ended by ldap_result yielding 101
>> 26934 ldap_parse_result: 0
>> 26934 ldap_parse_result yielded 0: Success
>> 26934 LDAP search: returning: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 26934 lookup yielded: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 26934 crypteq: length for SHA-1 not 28 or 40: fail
>> 26934 crypted=MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>
> - if the password hash is missing the tailing '=' exim correctly
> understands the hash set in LDAP. But now it wrongfully hashes the given
> password in the exact bit-length it was complaining about when given
> from LDAP
>
>> 27061 LDAP value loop userPassword:{SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>> 27061 search ended by ldap_result yielding 101
>> 27061 ldap_parse_result: 0
>> 27061 ldap_parse_result yielded 0: Success
>> 27061 LDAP search: returning: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>> 27061 lookup yielded: {SHA1}MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>> 27061 crypteq: using SHA1+B64 hashing
>> 27061 subject=MnFWqyh8aqUshnDhMWP8G/ZgrdQ=
>> 27061 crypted=MnFWqyh8aqUshnDhMWP8G/ZgrdQ
>
>
> # ldap entry - test password starwars
> dn: uid=_mail_test,ou=users,dc=uaux,dc=de
> objectClass: inetOrgPerson
> objectClass: posixAccount
> uid: _mail_test
> userPassword:: e1NIQTF9TW5GV3F5aDhhcVVzaG5EaE1XUDhHL1pncmRRPQ==
> or
> userPassword:: e1NIQTF9TW5GV3F5aDhhcVVzaG5EaE1XUDhHL1pncmRR
>
> # exim.conf - login authenticator
> auth_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
> server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
> server_condition = ${if or { \
> {pam{$auth1:${sg{$auth2}{:}{::}}}} \
> {crypteq{$auth2}{${lookup
> ldap{ldap://mailvz.rz.uni-augsburg.de/ou=users,dc=uaux,dc=de?userPassword?sub?(&(objectClass=inetorgperson)(uid=${quote_ldap:$auth1}))}
> } } } \
> }{yes}{no}}
> server_set_id = $auth1
>
> regards,
--
Thomas Winterstein
postmaster@???