[exim] Re: How to tell which authentication is failing when doing authenticated binds

Wed, 16 Apr 2025 14:58:03 -0700 

On 2025/04/16 4:38 PM, Johnnie W Adams via Exim-users wrote:


10:27:42 160885   ├considering: ${lookup
ldapdn{user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }


doing a ${lookup....


10:27:42 160885    ├considering: ${quote_ldap_dn:$auth1})}{0}{1}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }

10:27:42 160885    ╎╭considering: $auth1})}{0}{1}} pass=${quote:$auth2}
ldaps://auth.example.com/ } } } }

10:27:42 160885    ╎├──────value: inner_account

10:27:42 160885    ╎           ╰──(tainted)


using $auth1 as data...



10:27:42 160885   database lookup required for
user="CN=outer_account,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="outer_password"  ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=inner_account)

10:27:42 160885                                (tainted, quoted:ldap)




10:27:42 160885   ldap_parse_result yielded 0: Success


it didn't throw an error


10:27:42 160885   LDAP search: no results


didn't return any data though


10:27:42 160885   lookup failed


and that counts as a fail


10:27:42 160885    ╰───skipping: result is not used


so we skip the "success" result expansion


10:27:42 160885    ╭considering: 1}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├───────text: 1

10:27:42 160885    ├considering: }} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }

10:27:42 160885    ├──expanding: 1

10:27:42 160885    ╰─────result: 1

10:27:42 160885   ├───item-res: 1


and take the "fail" expansion; a constant string "1" here


10:27:42 160885  re-binding with user=1 password=inner_password


we move on to the "ldapauth" operation.  That "1" you arranged to return from 
the
inner lookup is used here, for "user=1".   This feels bogus, but results from
your coding of the config.


10:27:42 160885  Invalid credentials: ldapauth returns FAIL


... and it fails.  Is this what you wanted?


--
Cheers,
  Jeremy

--
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to