[exim] Re: How to tell which authentication is failing when doing authenticated binds

Thu, 10 Apr 2025 08:45:39 -0700 

So the bind authorization is succeeding, which leaves me with the question
of why I can do a 'real' authentication with the account 'foo' and the
password 'foo':

10:37:07 120872  ├──expanding: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:37:07 120872  ╰─────result: true

10:37:07 120872 expanded string: true

10:37:07 120872  ╭considering: $auth1

10:37:07 120872  ├──────value: foo

10:37:07 120872             ╰──(tainted)

10:37:07 120872  ├──expanding: $auth1

10:37:07 120872  ╰─────result: foo

10:37:07 120872             ╰──(tainted)

10:37:07 120872 SMTP>> 235 Authentication succeeded

On Thu, Apr 10, 2025 at 9:31 AM Jeremy Harris via Exim-users <
exim-users@lists.exim.org> wrote:

> On 2025/04/10 3:00 PM, Johnnie W Adams via Exim-users wrote:
> > I don't know how much of the configuration you want to see, but here's
> the
> > lookup:
> >
> >         user=${lookup
> >
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> > pass="password" ldaps://
> >
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})
> <http://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=$%7Bquote_ldap_dn:$auth1%7D)>
> }}
> > \
> >
> >         pass=${quote:$auth2} \
> >
> >         ldaps://auth.example.com/ \
>
> If you want to see what happened with that lookup, use Exim's debug
> facilities.
> If it's a busy exim daemon you'll be best off with ACL-triggered debug;
> if it's only you then just run the daemon with a command-line option for
> debug.
> --
> Cheers,
>    Jeremy
>
> --
> ## subscription configuration (requires account):
> ##
> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ##   exim-users-unsubscr...@lists.exim.org
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


-- 
John Adams
Senior Linux/Middleware Administrator  | Information Technology Services
+1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder:  IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts.  For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to