[exim] Re: How to tell which authentication is failing when doing authenticated binds

Thu, 10 Apr 2025 12:21:10 -0700 

Here is it, using 'foo' as both account and password:

14:16:37 121712 login authenticator server_condition:

14:16:37 121712   $auth1 = foo

14:16:37 121712   $auth2 = foo

14:16:37 121712   $1 = foo

14:16:37 121712   $2 = foo

14:16:37 121712  ╭considering: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712   ╭considering: }{$auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712   ├──expanding:

14:16:37 121712   ╰─────result:

14:16:37 121712   ╭considering: $auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712   ├──────value: foo

14:16:37 121712              ╰──(tainted)

14:16:37 121712   ├considering: } } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712   ├──expanding: $auth1

14:16:37 121712   ╰─────result: foo

14:16:37 121712              ╰──(tainted)

14:16:37 121712   ╭considering:  user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712   ├───────text:  user=

14:16:37 121712   ├considering: ${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712    ╭considering:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712    ├───────text:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=

14:16:37 121712    ├considering: ${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712    ╎╭considering: $auth1})}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

14:16:37 121712    ╎├──────value: foo

14:16:37 121712    ╎           ╰──(tainted)

14:16:37 121712    ╎├considering: })}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

14:16:37 121712    ╎├──expanding: $auth1

14:16:37 121712    ╎╰─────result: foo

14:16:37 121712    ╎           ╰──(tainted)

14:16:37 121712    ├─────op-res: foo

14:16:37 121712               ╰──(tainted, quoted:ldap)

14:16:37 121712    ├considering: )}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

14:16:37 121712    ├───────text: )

14:16:37 121712    ├considering: }} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

14:16:37 121712    ├──expanding:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})

14:16:37 121712    ╰─────result:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)

14:16:37 121712               ╰──(tainted, quoted:ldap)

14:16:37 121712   search_open: ldapdn "NULL"

14:16:37 121712   search_find: file="NULL"

14:16:37 121712
key="user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
partial=-1 affix=NULL starflags=0 opts=NULL

14:16:37 121712   LRU list:

14:16:37 121712     :/etc/exim/dropped_helo_names

14:16:37 121712     End

14:16:37 121712   internal_search_find: file="NULL"

14:16:37 121712     type=ldapdn
key="user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
opts=NULL

14:16:37 121712   database lookup required for
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)

14:16:37 121712                                (tainted, quoted:ldap)

14:16:37 121712   LDAP parameters:
user=CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
pass=password size=0 time=0 connect=0 dereference=0 referrals=on

14:16:37 121712   perform_ldap_search: ldapdn URL = "ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0

14:16:37 121712   after ldap_url_parse: host=auth.example.com port=636

14:16:37 121712   ldap_initialize with URL ldaps://auth.example.com:636/

14:16:37 121712   initialized for LDAP (v3) server auth.example.com:636

14:16:37 121712   LDAP_OPT_X_TLS_HARD set due to ldaps:// URI

14:16:37 121712   binding with
user=CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
password=password

14:16:37 121712   Start search

14:16:37 121712   search ended by ldap_result yielding 101

14:16:37 121712   ldap_parse_result: 0

14:16:37 121712   ldap_parse_result yielded 0: Success

14:16:37 121712   LDAP search: no results

14:16:37 121712   creating new cache entry

14:16:37 121712   lookup failed

14:16:37 121712   ├───item-res:

14:16:37 121712   ├considering:  pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

14:16:37 121712   ├───────text:  pass=

14:16:37 121712   ├considering: ${quote:$auth2} ldaps://auth.example.com/ }
} } }

14:16:37 121712    ╭considering: $auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712    ├──────value: foo

14:16:37 121712               ╰──(tainted)

14:16:37 121712    ├considering: } ldaps://auth.example.com/ } } } }

14:16:37 121712    ├──expanding: $auth2

14:16:37 121712    ╰─────result: foo

14:16:37 121712               ╰──(tainted)

14:16:37 121712   ├─────op-res: foo

14:16:37 121712              ╰──(tainted)

14:16:37 121712   ├considering:  ldaps://auth.example.com/ } } } }

14:16:37 121712   ├───────text:  ldaps://auth.example.com/

14:16:37 121712   ├considering: } } } }

14:16:37 121712   ├──expanding:  user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/

14:16:37 121712   ╰─────result:  user= pass=foo ldaps://auth.example.com/

14:16:37 121712              ╰──(tainted)

14:16:37 121712  LDAP parameters: user= pass=foo size=0 time=0 connect=0
dereference=0 referrals=on

14:16:37 121712  perform_ldap_search: ldapauth URL = "ldaps://
auth.example.com/ " server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0

14:16:37 121712  after ldap_url_parse: host=auth.example.com port=636

14:16:37 121712  re-using cached connection to LDAP server
auth.example.com:636

14:16:37 121712  re-binding with user= password=foo

14:16:37 121712  Bind succeeded: ldapauth returns OK

14:16:37 121712  ├──condition: and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } }

14:16:37 121712  ├─────result: true

14:16:37 121712  ├──expanding: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

14:16:37 121712  ╰─────result: true

14:16:37 121712 expanded string: true

14:16:37 121712  ╭considering: $auth1

14:16:37 121712  ├──────value: foo

14:16:37 121712             ╰──(tainted)

14:16:37 121712  ├──expanding: $auth1

14:16:37 121712  ╰─────result: foo

14:16:37 121712             ╰──(tainted)

14:16:37 121712 SMTP>> 235 Authentication succeeded

14:16:37 121712 tls_write(0x56246e2fd368, 30)

14:16:37 121712 SSL_write(0x56246e60e870, 0x56246e2fd368, 30)

14:16:37 121712 outbytes=30 error=0

14:16:37 121712 Calling SSL_read(0x56246e60e870, 0x56246e611768, 4096)

On Thu, Apr 10, 2025 at 2:12 PM Jeremy Harris via Exim-users <
exim-users@lists.exim.org> wrote:

> On 2025/04/10 6:29 PM, Johnnie W Adams via Exim-users wrote:
> >    server_condition = ${if and{ \
> >     { !eq{}{$auth1} } \
> >     { ldapauth { \
> >         user=${lookup
> >
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> > pass="password" ldaps://
> >
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})
> <http://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=$%7Bquote_ldap_dn:$auth1%7D)>
> }}
> > \
> >         pass=${quote:$auth2} \
> >         ldaps://auth.example.com/ \
> >       } \
> >     } \
> >   } \
> > }
>
> Okay, so there's two LDAP accesses being done for the server_condition - a
> lookup expansion
> and an ldapauth condition - and we've only seen one in debug output, and
> mentioned only in string-expansion.
> I agree with Evgeniy: need more debug.  Try again with "+all" - and don't
> trim the start
> and end too harshly.
>
> > I'm unsure how much of the exim.conf file you'd like me to post
>
> The authenticator config was the important bit, so be have that now.
> --
> Cheers,
>    Jeremy
>
> --
> ## subscription configuration (requires account):
> ##
> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ##   exim-users-unsubscr...@lists.exim.org
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


-- 
John Adams
Senior Linux/Middleware Administrator  | Information Technology Services
+1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder:  IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts.  For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to