[exim] Re: How to tell which authentication is failing when doing authenticated binds

Johnnie W Adams via Exim-users Sat, 12 Apr 2025 09:34:31 -0700

On Fri, Apr 11, 2025 at 6:22 PM Slavko via Exim-users <
exim-users@lists.exim.org> wrote:


> Dňa 10. 4. o 23:04 Johnnie W Adams via Exim-users napísal(a):
>
> >   The coding should take both of the 'foo's in, because they are the
> > credentials to be used in the ldapauth test. And they really shouldn't be
> > giving back a 235 Authentication succeeded under any circumstances.
>
> that is main problem of "foo:foo" credentials, now nobody know which
> "foo" is which...


That's a good point. Here's another session, this time with 'foo' as the
account name and 'bar' as the password.

11:25:57 134826 login authenticator server_condition:

11:25:57 134826   $auth1 = foo

11:25:57 134826   $auth2 = bar

11:25:57 134826   $1 = foo

11:25:57 134826   $2 = bar

11:25:57 134826  ╭considering: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826   ╭considering: }{$auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826   ├──expanding:

11:25:57 134826   ╰─────result:

11:25:57 134826   ╭considering: $auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826   ├──────value: foo

11:25:57 134826              ╰──(tainted)

11:25:57 134826   ├considering: } } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826   ├──expanding: $auth1

11:25:57 134826   ╰─────result: foo

11:25:57 134826              ╰──(tainted)

11:25:57 134826   ╭considering:  user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826   ├───────text:  user=

11:25:57 134826   ├considering: ${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826    ╭considering:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826    ├───────text:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=

11:25:57 134826    ├considering: ${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826    ╎╭considering: $auth1})}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

11:25:57 134826    ╎├──────value: foo

11:25:57 134826    ╎           ╰──(tainted)

11:25:57 134826    ╎├considering: })}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

11:25:57 134826    ╎├──expanding: $auth1

11:25:57 134826    ╎╰─────result: foo

11:25:57 134826    ╎           ╰──(tainted)

11:25:57 134826    ├─────op-res: foo

11:25:57 134826               ╰──(tainted, quoted:ldap)

11:25:57 134826    ├considering: )}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

11:25:57 134826    ├───────text: )

11:25:57 134826    ├considering: }} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

11:25:57 134826    ├──expanding:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})

11:25:57 134826    ╰─────result:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)

11:25:57 134826               ╰──(tainted, quoted:ldap)

11:25:57 134826   search_open: ldapdn "NULL"

11:25:57 134826   search_find: file="NULL"

11:25:57 134826
key="user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
partial=-1 affix=NULL starflags=0 opts=NULL

11:25:57 134826   LRU list:

11:25:57 134826     :/etc/exim/dropped_helo_names

11:25:57 134826     End

11:25:57 134826   internal_search_find: file="NULL"

11:25:57 134826     type=ldapdn
key="user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
opts=NULL

11:25:57 134826   database lookup required for
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)

11:25:57 134826                                (tainted, quoted:ldap)

11:25:57 134826   LDAP parameters:
user=CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
pass=password size=0 time=0 connect=0 dereference=0 referrals=on

11:25:57 134826   perform_ldap_search: ldapdn URL = "ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0

11:25:57 134826   after ldap_url_parse: host=auth.example.com port=636

11:25:57 134826   ldap_initialize with URL ldaps://auth.example.com:636/

11:25:57 134826   initialized for LDAP (v3) server auth.example.com:636

11:25:57 134826   LDAP_OPT_X_TLS_HARD set due to ldaps:// URI

11:25:57 134826   binding with
user=CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
password=password

11:25:57 134826   Start search

11:25:57 134826   search ended by ldap_result yielding 101

11:25:57 134826   ldap_parse_result: 0

11:25:57 134826   ldap_parse_result yielded 0: Success

11:25:57 134826   LDAP search: no results

11:25:57 134826   creating new cache entry

11:25:57 134826   lookup failed

11:25:57 134826   ├───item-res:

11:25:57 134826   ├considering:  pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

11:25:57 134826   ├───────text:  pass=

11:25:57 134826   ├considering: ${quote:$auth2} ldaps://auth.example.com/ }
} } }

11:25:57 134826    ╭considering: $auth2} ldaps://auth.example.com/ } } } }

11:25:57 134826    ├──────value: bar

11:25:57 134826               ╰──(tainted)

11:25:57 134826    ├considering: } ldaps://auth.example.com/ } } } }

11:25:57 134826    ├──expanding: $auth2

11:25:57 134826    ╰─────result: bar

11:25:57 134826               ╰──(tainted)

11:25:57 134826   ├─────op-res: bar

11:25:57 134826              ╰──(tainted)

11:25:57 134826   ├considering:  ldaps://auth.example.com/ } } } }

11:25:57 134826   ├───────text:  ldaps://auth.example.com/

11:25:57 134826   ├considering: } } } }

11:25:57 134826   ├──expanding:  user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/

11:25:57 134826   ╰─────result:  user= pass=bar ldaps://auth.example.com/

11:25:57 134826              ╰──(tainted)

11:25:57 134826  LDAP parameters: user= pass=bar size=0 time=0 connect=0
dereference=0 referrals=on

11:25:57 134826  perform_ldap_search: ldapauth URL = "ldaps://
auth.example.com/ " server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0

11:25:57 134826  after ldap_url_parse: host=auth.example.com port=636

11:25:57 134826  re-using cached connection to LDAP server
auth.example.com:636

11:25:57 134826  re-binding with user= password=bar

11:25:58 134826  Bind succeeded: ldapauth returns OK

11:25:58 134826  ├──condition: and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } }

11:25:58 134826  ├─────result: true

11:25:58 134826  ├──expanding: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

11:25:58 134826  ╰─────result: true

11:25:58 134826 expanded string: true

11:25:58 134826  ╭considering: $auth1

11:25:58 134826  ├──────value: foo

11:25:58 134826             ╰──(tainted)

11:25:58 134826  ├──expanding: $auth1

11:25:58 134826  ╰─────result: foo

11:25:58 134826             ╰──(tainted)

11:25:58 134826 SMTP>> 235 Authentication succeeded

11:25:58 134826 tls_write(0x559d10644368, 30)

11:25:58 134826 SSL_write(0x559d10955870, 0x559d10644368, 30)

11:25:58 134826 outbytes=30 error=0
11:25:58 134826 Calling SSL_read(0x559d10955870, 0x559d10958768, 4096)
-- 
John Adams
Senior Linux/Middleware Administrator  | Information Technology Services
+1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder:  IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts.  For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Re: How to tell which authentication is failing when doing authenticated binds

Reply via email to