Re: [exim] Problems with ldap lookup and doubling comma in userPassword field

Fri, 26 May 2017 03:50:25 -0700 

Hi Mike,


thanks for your answer.


No, the quoting isnt the problem.
I dont want to use ldapauth with an constructed ldap_dn, because i need some 
other values from the full ldap lookup.

When using the examples as described in the specification, it always do two 
ldap lookups.
One to construct the bind DN for the user and one to ldapauth the user against 
the ldap.

My idea was to do one lookup in the ldap and extract all the fields that i need 
(e.g. spamaction, filters, spf actions, dkim key )
and later to do authentification with crypteq{} against $auth2/3 and the 
crypted userPassword field in the ldap lookup.

This takes me only one ldap lookup and will double the performance against ldap.

But now i have the problem, that the change 
https://bugs.exim.org/show_bug.cgi?id=660 ALWAYS doubles colons ( , comma or 
komma in german )
+             for (j = 0; j < len; j++)
+               {
+               if (value[j] == ',')
+                 data = string_cat(data, &size, &ptr, US",,", 2);
+               else
+                 data = string_cat(data, &size, &ptr, value+j, 1);
+               }
+             }

That destroys the extracted sha512 crypt when there is an colon/comma in.

Best Regards,
Daniel

 









Von: Mike Brudenell <[email protected]>
Gesendet: Donnerstag, 25. Mai 2017 12:03
An: [email protected]
Betreff: Re: [exim] Problems with ldap lookup and doubling comma in 
userPassword field
  

Hi, Daniel -


Is the problem that you've forgotten to use Exim's quoting features on the 
username and password when constructing the LDAP lookup?


For example the Specification gives examples such as this for ldapauth:



server_condition = ${if and{{ \
      !eq{}{$auth1} }{ \
      ldapauth{\
        user="uid=${quote_ldap_dn:$auth1},ou=people,o=example.org" \
        pass=${quote:$auth2} \
        ldap://ldap.example.org/} }} } 


And a later example in the TLS Authenticator section implies that an ldap 
lookup should also be using quoting:


server_condition =  ${if forany {$auth1} \


                          {!= {0} \
                              {${lookup ldap{ldap:///\
                       mailname=${quote_ldap_dn:${lc:$item}},\
                       ou=users,LDAP_DC?mailid} {$value}{0} \
                     } } }} 


Cheers,
Mike B-)



 


On 24 May 2017 at 10:58, Daniel Betz <[email protected]> wrote:
 Hello list,

i have an problem, which has to do with the change  
https://bugs.exim.org/show_bug.cgi?id=660

My plan is to reduce LDAP queries and enable an admin password for mail 
accounts.

The userPassword and adminPassword fields in ldap are base64 encoded sha512 
crypt, which can include ","
Problem is, that they get doubled by the patch above, although i have tried an 
other seperator like : LDAP_LOOKUP_USER_PLAIN = <\n ${lookup ldap.
but the doubling of , is hardcoded into the source.

Debug Log shows this:

exim[13496]: 13506 LDAP value loop 
userPassword:{crypt}$6$,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1
exim[13496]: 13506 lookup yielded: id="4029359" objectClass="qmailUser,person" 
[...] 
userPassword="{crypt}$6$,,7_X.clF$OHzHUqADeV9ijFJn9EsB0LMp7iL7PYVNdjUtLblOvch9lGkv7G9jnvU.jUqWL61tg1352IMSVHtdJ0FUA1akT1"

Here you can see the doubling of the ,, in the lookup. Therefore 
authentification with crypteq{} will fail.

It would be nice, when i can change the separator for ldap lookups, so that i 
must noch manually patch the src/lookups/ldap.c



My config looks like this:
LDAP_LOOKUP_USER_PLAIN = ${lookup ldap {\
                                nettime=3 time=5 user=LDAP_USER pass=LDAP_PASS 
referrals=nofollow \
                                
ldapi:///LDAP_BASEDN??sub?(&(!(accountstatus=inactive))(|(uid=${quote_ldap:$auth2})(mail=${quote_ldap:$auth2})))\
                          }}
LDAP_LOOKUP_USER_LOGIN = ${lookup ldap {\
                                nettime=3 time=5 user=LDAP_USER pass=LDAP_PASS 
referrals=nofollow \
                                
ldapi:///LDAP_BASEDN??sub?(&(!(accountstatus=inactive))(|(uid=${quote_ldap:$auth1})(mail=${quote_ldap:$auth1})))\
                          }}


plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if or {\
                                
{crypteq{$auth3}{${extract{userPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
                                
{crypteq{$auth3}{${extract{adminPassword}{LDAP_LOOKUP_USER_PLAIN}}}}\
                     }{yes}{no}}
  server_set_id = $auth2


login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = ${if or {\
                                
{crypteq{$auth2}{${extract{userPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
                                
{crypteq{$auth2}{${extract{adminPassword}{LDAP_LOOKUP_USER_LOGIN}}}}\
                     }{yes}{no}}
  server_set_id = $auth1



Freundliche Grüße,

Daniel Betz
System Design Engineer / Senior Systemadministration
___________________________________

domainfactory GmbH
Oskar-Messter-Str. 33
85737 Ismaning
Germany

Telefon:  +49 (0)89 / 55266-364
Telefax:  +49 (0)89 / 55266-222

E-Mail:   [email protected]
Internet: www.df.eu

Registergericht: Amtsgericht München
HRB-Nummer 150294, Geschäftsführer:
Tobias Mohr, Stephan Wolfram



--
## List details at  https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at  http://www.exim.org/
## Please use the Wiki with this list -  http://wiki.exim.org/
 



 -- 



Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811


Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm       
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to