On 29/07/2021 22:39, Jan Catrysse via Exim-users wrote:
> I am having some issues using a username@??? kind of username in
> Outlook and the Exim SPA authenticator.
>
> It seems the domain part is stripped from the username and so I cannot
> authenticate properly.
>
> Is this a known problem? Can I fix this issue in any way?
>
> On debug I find that a username like: username+domain.tld is passed
> completely to the exim $auth1 variable, but with the @ in place I only get
> the username part without the domain.
>
> I have to consider that I am using the same username for Dovecot, so I
> cannot just change my query to replace @ with something else.
>
> Authenticator config:
> SPA:
> driver = spa
> public_name = NTLM
> server_password = ${lookup mysql{SELECT `password` FROM `users` WHERE
> CONCAT_WS('@', `username`, `domain`) =
> '${quote_mysql:$auth1}';}{$value}{fail}}
> server_set_id = $auth1
> server_debug_print = "Running SPA auth: $auth1"
>
> Thank you,
> Jan
>
>
The server-side spa code only writes $auth1 in one place, before
the call to evaluate the server_password. Since you're doing a
lookup, the use there should be visible in debug.
I assume it's wrong at that time.
The value being used appears to derive from data sent by the
client in response to a challenge from the server. There's enogh
code munging it I can't swear it won't fall over on an '@' -
but I don't see one mentioned explicitly.
Are you certain that the full string is being supplied by the client?
The docs chapter mentions that the domain is optional, so I could
imaging it being treated as a separate item. Unfortunately, it also
only describes $auth1 as getting the user name; no mention of the
domain around the same place.
Hmm. A relevant data structure does have separate fields "uUser" and "uDomain" -
and the server-side code doesn't use it. The client-side code does.
OK, this has likely never worked. For now, you're out of luck with SPA.
--
Cheers,
Jeremy
