[exim] Problem with LDAP authenticator

Etusivu
Poista viesti
Vastaa
Lähettäjä: Pierre Filippone
Päiväys:  
Vastaanottaja: exim-users
Aihe: [exim] Problem with LDAP authenticator
Hi,

I configured the following LDAP authenticator:

ldap_plain:
   driver = plaintext
   public_name = PLAIN
   server_prompts = "LDAP Username:: : LDAP Password::"
   server_condition = \
        ${\
           lookup ldap {\
               user=${lookup ldapdn {user=BINDDN pass=BINDPW
ldaps:///BASEDN?dn?sub?(&(uid=${quote_ldap:$2})(mail=*)(!(expiredDate=*)))}}
pass=${quote:$3} ldaps:///BASEDN?uid?sub?(&(uid=${quote_ldap:$2})(mail=*))\
         }{yes}fail \
    }
   # value for $authenticated_id
   server_set_id = $2


This actually works very well.

The problem with it is though, that whenever someone uses it for SMTP
authentication the following is logged in our exim main.log:

2023-07-05 14:47:36 tainted search query is not properly quoted (ACL
accept, /etc/exim/exim.conf 461): user="uid=xyz,dc=example,dc=com"
pass="cleartextpassword"
ldaps:///dc=example,dc=com?uid?sub?(&(uid=xyz)(mail=*))

As you can see the user id together with his cleartext password is logged.

So, can anyone give me a hint, what I am doing wrong here quoting-wise and
why the query shall be tainted. I don't really understand why exim is
complaining.
Another solution would be to suppress the logging of this error, but I
don"t know how to achieve that either.

My exim version is 4.96.

Thanks for your help.

Pierre

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/