[exim] Re: How to tell which authentication is failing when doing authenticated binds

Wed, 16 Apr 2025 08:40:10 -0700 

This is truly puzzling. I've changed out my authenticator to add parameters
where I think they should go:

  server_condition = ${if and{ \

   { !eq{}{$auth1} } \

   { ldapauth { \

       user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=ualr,DC=edu"
pass="outer_password"  ldaps://
auth.ualr.edu/OU=Service%20Accounts,DC=ad,DC=ualr,DC=edu?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
\

       pass=${quote:$auth2} \

       ldaps://auth.ualr.edu/ \

     } \

   } \

 } \

   }

And using the correct credentials--I reset them myself to be sure--I'm
getting a 535 Incorrect authentication data

10:27:42 160885 login authenticator server_condition:

10:27:42 160885   $auth1 = inner_account

10:27:42 160885   $auth2 = inner_password

10:27:42 160885   $1 = inner_account

10:27:42 160885   $2 = inner_password

10:27:42 160885  ╭considering: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885   ╭considering: }{$auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885   ├──expanding:

10:27:42 160885   ╰─────result:

10:27:42 160885   ╭considering: $auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885   ├──────value: inner_account

10:27:42 160885              ╰──(tainted)

10:27:42 160885   ├considering: } } { ldapauth { user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885   ├──expanding: $auth1

10:27:42 160885   ╰─────result: inner_account

10:27:42 160885              ╰──(tainted)

10:27:42 160885   ╭considering:  user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885   ├───────text:  user=

10:27:42 160885   ├considering: ${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885    ╭considering:
user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885    ├───────text:
user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=

10:27:42 160885    ├considering: ${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885    ╎╭considering: $auth1})}{0}{1}} pass=${quote:$auth2}
ldaps://auth.example.com/ } } } }

10:27:42 160885    ╎├──────value: inner_account

10:27:42 160885    ╎           ╰──(tainted)

10:27:42 160885    ╎├considering: })}{0}{1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ╎├──expanding: $auth1

10:27:42 160885    ╎╰─────result: inner_account

10:27:42 160885    ╎           ╰──(tainted)

10:27:42 160885    ├─────op-res: inner_account

10:27:42 160885               ╰──(tainted, quoted:ldap)

10:27:42 160885    ├considering: )}{0}{1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├───────text: )

10:27:42 160885    ├considering: }{0}{1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├──expanding:
user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})

10:27:42 160885    ╰─────result:
user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=inner_account)

10:27:42 160885               ╰──(tainted, quoted:ldap)

10:27:42 160885   search_open: ldapdn "NULL"

10:27:42 160885   search_find: file="NULL"

10:27:42 160885
key="user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=inner_account)"
partial=-1 affix=NULL starflags=0 opts=NULL

10:27:42 160885   LRU list:

10:27:42 160885     :/etc/exim/dropped_helo_names

10:27:42 160885     End

10:27:42 160885   internal_search_find: file="NULL"

10:27:42 160885     type=ldapdn
key="user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=inner_account)"
opts=NULL

10:27:42 160885   database lookup required for
user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=inner_account)

10:27:42 160885                                (tainted, quoted:ldap)

10:27:42 160885   LDAP parameters:
user=CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
pass=outer_password size=0 time=0 connect=0 dereference=0 referrals=on

10:27:42 160885   perform_ldap_search: ldapdn URL = "ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=inner_account)"
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0

10:27:42 160885   after ldap_url_parse: host=auth.example.com port=636

10:27:42 160885   ldap_initialize with URL ldaps://auth.example.com:636/

10:27:42 160885   initialized for LDAP (v3) server auth.example.com:636

10:27:42 160885   LDAP_OPT_X_TLS_HARD set due to ldaps:// URI

10:27:42 160885   binding with
user=CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
password=outer_password

10:27:42 160885   Start search

10:27:42 160885   search ended by ldap_result yielding 101

10:27:42 160885   ldap_parse_result: 0

10:27:42 160885   ldap_parse_result yielded 0: Success

10:27:42 160885   LDAP search: no results

10:27:42 160885   creating new cache entry

10:27:42 160885   lookup failed

10:27:42 160885    ╭───scanning: 0}{1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├───────text: 0

10:27:42 160885    ├───scanning: }{1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├──expanding: 0

10:27:42 160885    ├─────result: 0

10:27:42 160885    ╰───skipping: result is not used

10:27:42 160885    ╭considering: 1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├───────text: 1

10:27:42 160885    ├considering: }} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├──expanding: 1

10:27:42 160885    ╰─────result: 1

10:27:42 160885   ├───item-res: 1

10:27:42 160885   ├considering:  pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885   ├───────text:  pass=

10:27:42 160885   ├considering: ${quote:$auth2} ldaps://auth.example.com/ }
} } }

10:27:42 160885    ╭considering: $auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885    ├──────value: inner_password

10:27:42 160885               ╰──(tainted)

10:27:42 160885    ├considering: } ldaps://auth.example.com/ } } } }

10:27:42 160885    ├──expanding: $auth2

10:27:42 160885    ╰─────result: inner_password

10:27:42 160885               ╰──(tainted)

10:27:42 160885   ├─────op-res: inner_password

10:27:42 160885              ╰──(tainted)

10:27:42 160885   ├considering:  ldaps://auth.example.com/ } } } }

10:27:42 160885   ├───────text:  ldaps://auth.example.com/

10:27:42 160885   ├considering: } } } }

10:27:42 160885   ├──expanding:  user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/

10:27:42 160885   ╰─────result:  user=1 pass=inner_password ldaps://
auth.example.com/

10:27:42 160885              ╰──(tainted)

10:27:42 160885  LDAP parameters: user=1 pass=inner_password size=0 time=0
connect=0 dereference=0 referrals=on

10:27:42 160885  perform_ldap_search: ldapauth URL = "ldaps://
auth.example.com/ " server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0

10:27:42 160885  after ldap_url_parse: host=auth.example.com port=636

10:27:42 160885  re-using cached connection to LDAP server
auth.example.com:636

10:27:42 160885  re-binding with user=1 password=inner_password

10:27:42 160885  Invalid credentials: ldapauth returns FAIL

10:27:42 160885  ├──condition: and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } }

10:27:42 160885  ├─────result: false

10:27:42 160885  ├──expanding: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885  ╰─────result:

10:27:42 160885 expanded string:

10:27:42 160885  ╭considering: $auth1

10:27:42 160885  ├──────value: inner_account

10:27:42 160885             ╰──(tainted)

10:27:42 160885  ├──expanding: $auth1

10:27:42 160885  ╰─────result: inner_account

10:27:42 160885             ╰──(tainted)

10:27:42 160885 SMTP>> 535 Incorrect authentication data

10:27:42 160885 tls_write(0x557cf8036368, 35)

10:27:42 160885 SSL_write(0x557cf8347870, 0x557cf8036368, 35)

10:27:42 160885 outbytes=35 error=0

10:27:42 160885 LOG: MAIN REJECT

10:27:42 160885   login authenticator failed for (remote) [144.167.8.28]:
535 Incorrect authentication data (set_id=inner_account)


What am I doing wrong? Or is this just part of the AD malfunction?

On Mon, Apr 14, 2025 at 10:15 AM Johnnie W Adams <jxad...@ualr.edu> wrote:

> This makes sense, and yet, I've tried adding {true}{false} (along with
> {yes}{no} and now it is failing when I use good account information. I've
> tried this, which I believe should be right:
>
> user=${lookup
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> pass="password"  ldaps://
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}{true
> <http://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=$%7Bquote_ldap_dn:$auth1%7D)%7D%7D%7Btrue>
> }{false} \
>
>        pass=${quote:$auth2} \
>
>        ldaps://auth.example.com/
>
> And this, which doesn't look quite right:
>
> user=${lookup
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> pass="password"  ldaps://
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})
> <http://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=$%7Bquote_ldap_dn:$auth1%7D)>}}
> \
>
>        pass=${quote:$auth2}{true}{false} \
>
>        ldaps://auth.example.com/
>
> What am I doing wrong?
> --
> John Adams
> Senior Linux/Middleware Administrator  | Information Technology Services
> +1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
> *UA Little Rock*
>
> Reminder:  IT Services will never ask for your password over the phone or
> in an email. Always be suspicious of requests for personal information that
> come via email, even from known contacts.  For more information or to
> report suspicious email, visit IT Security
> <http://ualr.edu/itservices/security/>.
>


-- 
John Adams
Senior Linux/Middleware Administrator  | Information Technology Services
+1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder:  IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts.  For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to