Hi,

I'm debugging this again using our Ubuntu packaged Exim version 4.86_2 #1,
and trying to work out what's wrong with my configuration by going back to
a really simple setup that will always fail:

  server_condition = ${if eq{0}{1} {true} {false}}

This correctly gives rise to the SMTP response "535 Incorrect
authentication data".

I now replace the eq condition with an ldapauth condition:

  server_condition = ${if ldapauth \
                            {user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
\
                             pass=${quote:$auth2} \
                            ldap://ldap.york.ac.uk/} \
                          {true} {false}}

In the *Specification* the description of the ldapauth expansion condition
says this:

The condition is true if the password is not empty, and the user name and
password are accepted by the LDAP server.


And the Exim book says this (emphasis mine) when describing LDAP
authentication in section 20.7.7:

The condition is true if the user name and password are accepted by the
LDAP server, *and false otherwise*.


But when I try to authenticate using a bad username and password I don't
get the 535 SMTP response but "435 Unable to authenticate at present" and
the logs show a "failed to expand" error:

12:36:39 23140 LOGIN authenticator server_condition:
12:36:39 23140   $auth1 = baduser
12:36:39 23140   $auth2 = badpassword
12:36:39 23140   $1 = baduser
12:36:39 23140   $2 = badpassword
12:36:39 23140 expanding: $auth1
12:36:39 23140    result: baduser
12:36:39 23140 expanding: $auth2
12:36:39 23140    result: badpassword
12:36:39 23140 expanding: user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
pass=${quote:$auth2} ldap://ldap.york.ac.uk/
12:36:39 23140    result: user="uid=baduser,ou=blah,dc=uk" pass=badpassword
ldap://ldap.york.ac.uk/
12:36:39 23140 LDAP parameters: user=uid=baduser,ou=blah,dc=uk
pass=badpassword size=0 time=0 connect=0 dereference=0 referrals=on
12:36:39 23140 perform_ldap_search: ldapauth URL = "ldap://ldap.york.ac.uk/";
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
12:36:39 23140 after ldap_url_parse: host=ldap.york.ac.uk port=389
12:36:39 23140 ldap_initialize with URL ldap://ldap.york.ac.uk:389/
12:36:39 23140 initialized for LDAP (v3) server ldap.york.ac.uk:389
12:36:39 23140 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
12:36:39 23140 binding with user=uid=baduser,ou=blah,dc=uk
password=badpassword
12:36:39 23140 failed to bind the LDAP connection to server
ldap.york.ac.uk:389 - LDAP error 32: No such object
12:36:39 23140 failed to expand: ${if ldapauth
{user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
pass=${quote:$auth2} ldap://ldap.york.ac.uk/} {true} {false}}
12:36:39 23140    error message: failed to bind the LDAP connection to
server ldap.york.ac.uk:389 - LDAP error 32: No such object
12:36:39 23140 expansion failed: failed to bind the LDAP connection to
server ldap.york.ac.uk:389 - LDAP error 32: No such object
12:36:39 23140 expanding: $auth1
12:36:39 23140    result: baduser
12:36:39 23140 SMTP>> 435 Unable to authenticate at present

This suggests that ldapauth is not returning false as expected/documented,
but instead causing an expansion failure that then cascades back and ends
up triggering the wrong SMTP response.

   - Is this a bug in Exim, or am I missing/overlooking something?
   - Is there a way of trapping the expansion error and interpreting it to
   false so the expression works properly?

With many thanks,
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811 <01904%20323811>

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to