Mailing List Archive

Issue with LDAP auth
Goal:
Allow users to authenticate with SMTP with their LDAP credentials.


Problem:
Exim spits out errors because it doesn't bind to the LDAP server.


Config:
--

begin authenticators


plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if and{{ !eq{}{$auth2} }{ \
    ldapauth{\
      USER="${quote_ldap:${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth2})}}}" \
      PASS=${quote:$auth3} \
      ldap://ldap.cyberfusion.cloud/} }} }
  server_set_id = $auth2
  server_prompts = :


login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if and{{ !eq{}{$auth1} }{ \
    ldapauth{\
      USER="${quote_ldap:${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth1})}}}" \
      PASS=${quote:$auth2} \
      ldap://ldap.cyberfusion.cloud/} }} }
  server_set_id = $auth1
--


Log:
--

 14:36:39   999 /considering: ${if and{{ !eq{}{$auth1} }{ ldapauth{USER="${quote_ldap:${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth1})}}}" PASS=${quote:$auth2} ldap://ldap.cyberfusion.cloud/} }} }
[...]
14:36:39   999   type=ldapdn key="ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)"
14:36:39   999 database lookup required for ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)
14:36:39   999 LDAP parameters: user=NULL pass=NULL size=0 time=0 connect=0 dereference=0 referrals=on
14:36:39   999 perform_ldap_search: ldapdn URL = "ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
14:36:39   999 after ldap_url_parse: host=dc0.cyberfusion.cloud port=389
14:36:39   999 ldap_initialize with URL ldap://dc0.cyberfusion.cloud:389/
14:36:39   999 initialized for LDAP (v3) server dc0.cyberfusion.cloud:389
14:36:39   999 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
14:36:39   999 binding with user=NULL password=NULL
14:36:39   999 Start search
14:36:39   999 search ended by ldap_result yielding 101
14:36:39   999 ldap_parse_result: 0
14:36:39   999 ldap_parse_result yielded 1: Operations error
14:36:39   999 LDAP search failed - error 1: Operations error/000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0
14:36:39   999 lookup deferred: LDAP search failed - error 1: Operations error/000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0
   14:36:39   999 |failed to expand: ${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth1})}}}" PASS=${quote:$auth2} ldap://ldap.cyberfusion.cloud/} }} }
   14:36:39   999 \___error message: lookup of "ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)" gave DEFER: LDAP search failed - error 1: Operations error/000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0
  14:36:39   999 |failed to expand: USER="${quote_ldap:${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth1})}}}" PASS=${quote:$auth2} ldap://ldap.cyberfusion.cloud/} }} }
  14:36:39   999 \___error message: lookup of "ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)" gave DEFER: LDAP search failed - error 1: Operations error/000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0
 14:36:39   999 |failed to expand: ${if and{{ !eq{}{$auth1} }{ ldapauth{USER="${quote_ldap:${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth1})}}}" PASS=${quote:$auth2} ldap://ldap.cyberfusion.cloud/} }} }
 14:36:39   999 \___error message: lookup of "ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)" gave DEFER: LDAP search failed - error 1: Operations error/000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0 inside "and{...}" condition
14:36:39   999 expansion failed: lookup of "ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=internal-mailinfra)" gave DEFER: LDAP search failed - error 1: Operations error/000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0 inside "and{...}" condition
 14:36:39   999 /considering: $auth1
 14:36:39   999 |__expanding: $auth1
 14:36:39   999 \_____result: internal-mailinfra
14:36:39   999 SMTP>> 435 Unable to authenticate at present
--


Note this line:
14:36:39   999 binding with user=NULL password=NULL


Why does Exim not bind to the LDAP server with my credentials and how can I set it up so it does?



Met vriendelijke groet, with kind regards,
William Edwards
Cyberfusion - Hosting voor webbureaus en bedrijfskritische applicaties


W. https://www.cyberfusion.nl/
E. wedwards@cyberfusion.nl
T. 040 - 711 44 96
Re: Issue with LDAP auth [ In reply to ]
On 24/12/2018 13:41, William Edwards | Cyberfusion via Exim-users wrote:
>   server_condition = ${if and{{ !eq{}{$auth2} }{ \
>     ldapauth{\
>       USER="${quote_ldap:${lookup ldapdn{ldap://dc0.cyberfusion.cloud/cn=Users,dc=cyberfusion,dc=email??sub?(sAMAccountName=${quote_ldap:$auth2})}}}" \
>       PASS=${quote:$auth3} \
>       ldap://ldap.cyberfusion.cloud/} }} }


You're using an ldapdn lookup to determine a USER for the ldapauth.

What user do you think you might use for it, if your ldap isn't set up
to allow anonymous lookups?
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/