Mailing List Archive

On Wed, 10 Jul 2002, David L. Harfst wrote:

> Running the exim server with the debug flag shows that the
> server condition expands to "no", however, my LDAP server does
> not show any attempt at a connection. What am I doing
> wrong?

Can't really help you with the LDAP bit - I'm no expert, but my test
suite has exactly the kind of LDAP calls you have quoted. What debug
output do you get? I see lines like this:

Binding with user=xxxx password=xxxx
Bind succeeded: ldapauth returns OK

Remember that Exim is running as the user "exim" while authenticating.
That might make a difference.

> One thing to note: I'm using $2 and $3 as the username and
> password. Debugging showed that $1 was blank, $2 contained
> the username and $3 contained the password. Seems contrary
> to the documentation.

That's correct for PLAIN authentication. LOGIN uses $1 and $2, as you
have got in your config.


--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

David,

At 15:13 (GMT-0500) on 10-July-2002, David L. Harfst wrote:
> Okay, I feel like beating my head against the wall.
>
> I'm trying to do LDAP authentication in Exim 4.0.5
>
> Here's my authenticators:
>
> # Authentication for PLAIN (Netscape)
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = ${if ldapauth \
> { user="uid=${quote_ldap:$2},ou=People,ou=Email,o=CMS,c=US" pass="$3" \
> ldap:///} {yes} {no} }
> server_set_id= uid=$1,ou=People,ou=Email,o=CMS,c=US
>
> # Authentication for LOGIN (Outlook)
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
> server_condition = ${if ldapauth \
> { user="uid=${quote_ldap:$1},ou=People,ou=Email,o=CMS,c=US" \
> pass="$2" \
> ldap:///} {yes} {no} }
> server_set_id= uid=$1,ou=People,ou=Email,o=CMS,c=US
>
>
> I've tried both of these, using Netscape 6.2.3 and Outlook Express
> respectively.
>
> Running the exim server with the debug flag shows that the
> server condition expands to "no", however, my LDAP server does
> not show any attempt at a connection. What am I doing
> wrong?

have you set an LDAP host in your configuration file (i.e. set
ldap_default_servers)?

In the debugging, you should see something like

LDAP parameters: ......
perform_ldap_search: ldapm URL ="ldap:///uid=xxx,ou=People,ou=Email,o=CMS,c=US?......
Initialized connection with LDAP server SOME_HOST_NAME
LDAP_OPT_X_TLS_TRY ....
Binding with user=..... password=....
Initialized connection with LDAP server SOME_HOST_NAME

and this will tell you which LDAP server log to go and check.

Douglas.

--

================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone +44 1223 325295
Mobile +44 773 0051628
Fax +44 1223 311830
Email DGrayStephens@slb.com
================================

Philip Hazel wrote:
>
> On Wed, 10 Jul 2002, David L. Harfst wrote:
>
> > Running the exim server with the debug flag shows that the
> > server condition expands to "no", however, my LDAP server does
> > not show any attempt at a connection. What am I doing
> > wrong?
>
> Can't really help you with the LDAP bit - I'm no expert, but my test
> suite has exactly the kind of LDAP calls you have quoted. What debug
> output do you get? I see lines like this:
>
> Binding with user=xxxx password=xxxx
> Bind succeeded: ldapauth returns OK
>
> Remember that Exim is running as the user "exim" while authenticating.
> That might make a difference.
>

I'm not getting anything indicating that there is any LDAP call
going on at all.

SMTP<< AUTH PLAIN EncodedString==
plain authenticator:
$1 =
$2 = username
$3 = plntxtpswd
expanded string: no
SMTP>> 535 Incorrect authentication data

Other LDAP calls for address processing are working fine.

--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

On Thu, 11 Jul 2002, David L. Harfst wrote:

> I'm not getting anything indicating that there is any LDAP call
> going on at all.

Perhaps you can send me an unedited copy of the debug output, just in
case I can spot something.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

Douglas Gray Stephens wrote:
>
> have you set an LDAP host in your configuration file (i.e. set
> ldap_default_servers)?
>
> In the debugging, you should see something like
>
> LDAP parameters: ......
> perform_ldap_search: ldapm URL ="ldap:///uid=xxx,ou=People,ou=Email,o=CMS,c=US?......
> Initialized connection with LDAP server SOME_HOST_NAME
> LDAP_OPT_X_TLS_TRY ....
> Binding with user=..... password=....
> Initialized connection with LDAP server SOME_HOST_NAME
>
> and this will tell you which LDAP server log to go and check.
>
> Douglas.
>

ldap_default_servers is set. There is only one server.
Other LDAP calls, for address resolution/verification for
example, are working fine.

Debug shows the following:

SMTP<< AUTH PLAIN EncodedString==
plain authenticator:
$1 =
$2 = username
$3 = plntxtpswd
expanded string: no
SMTP>> 535 Incorrect authentication data

Network sniffer shows no attempt to contact the LDAP server
(which is on a different host).

--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

On Thu, 11 Jul 2002, David L. Harfst wrote:

> ldap_default_servers is set. There is only one server.
> Other LDAP calls, for address resolution/verification for
> example, are working fine.

<strawgrasp>
Are you just starting trying to get authentication working? Did you add
LDAP authentication to the configuration file and forget to HUP the
daemon?
</strawgrasp>

Try adding a server_debug_print option to the authenticator. At least
that would confirm that you are seeing output from the configuration you
think you are dealing with.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

Philip Hazel wrote:

> Perhaps you can send me an unedited copy of the debug output, just in
> case I can spot something.
>

# /usr/lib/sendmail -bd -q15m -d+all-memory-load-queue_run-process_info
Exim version 4.05 uid=0 gid=0 pid=16359 L=834cd8 D=fffc5fff
Berkeley DB: Sleepycat Software: Berkeley DB 3.3.11: (July 12, 2001)
changed uid/gid: forcing real = effective
uid=0 gid=0
auxiliary group list: <none>
trusted user
admin user
originator: uid=0 gid=0 login=root name=root
listening on all interfaces (IPv4) port 25
pid written to /var/spool/exim/exim-daemon.pid
changed uid/gid: running the daemon
uid=52 gid=52
auxiliary group list: <none>
LOG: MAIN
exim 4.05 daemon started: pid=16359, -q15m, listening for SMTP on port 25 (IPv4)
daemon running with uid=52 gid=52 euid=52 egid=52
SIGALRM received
1 queue-runner process running
Listening...
Starting queue-runner: pid 16360
exec /usr/exim/bin/exim -q
child 16360 ended: status=0x0
0 queue-runner processes now running
Listening...
Connection request from 172.16.52.92 port 1114
1 SMTP accept process running
Listening...
interface address=172.16.1.1 port=25
host in rfc1413_hosts? yes (matched "*")
doing ident callback
ident connection to 172.16.52.92 failed: Connection refused
sender_fullhost = [172.16.52.92]
sender_rcvhost = [172.16.52.92]
Process 16434 is handling incoming connection from [172.16.52.92]
checking for IP options
no IP options found
host in host_lookup? yes (matched "*")
looking up host name for 172.16.52.92
IP address lookup yielded dhcp172-16-52-92.cms-stl.com
dhcp172-16-52-92.cms-stl.com 172.16.52.92
checking addresses for dhcp172-16-52-92.cms-stl.com
172.16.52.92
sender_fullhost = dhcp172-16-52-92.cms-stl.com [172.16.52.92]
sender_rcvhost = dhcp172-16-52-92.cms-stl.com ([172.16.52.92])
host in host_reject_connection? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in recipient_unqualified_hosts? no (option unset)
host in helo_verify_hosts? no (option unset)
host in helo_try_verify_hosts? yes (matched "*")
host in helo_accept_junk_hosts? no (option unset)
LOG: smtp_connection MAIN
SMTP connection from dhcp172-16-52-92.cms-stl.com [172.16.52.92] (TCP/IP connection count = 1)
SMTP>> 220 mailman.cms-stl.com ESMTP Exim 4.05 Thu, 11 Jul 2002 07:41:25 -0500
Process 16434 is ready for new message
smtp_setup_msg entered
SMTP<< EHLO cms-stl.com
sender_fullhost = dhcp172-16-52-92.cms-stl.com (cms-stl.com) [172.16.52.92]
sender_rcvhost = dhcp172-16-52-92.cms-stl.com ([172.16.52.92] helo=cms-stl.com)
verifying EHLO cms-stl.com
getting IP address for cms-stl.com
host not found
EHLO verification failed but host is in helo_try_verify_hosts
host in auth_advertise_hosts? yes (matched "*")
SMTP>> 250-mailman.cms-stl.com Hello dhcp172-16-52-92.cms-stl.com [172.16.52.92]
250-SIZE 52428800
250-ETRN
250-EXPN
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
SMTP<< AUTH PLAIN xxxxxxxxxxxxxxxxxxxxxx==
plain authenticator:
$1 =
$2 = xxxxxx
$3 = xxxxxxxx
expanded string: no
SMTP>> 535 Incorrect authentication data
LOG: MAIN REJECT
Authentication failed for dhcp172-16-52-92.cms-stl.com (cms-stl.com) [172.16.52.92]: 535 Incorrect authentication data (set_id=uid=xxxxxx,ou=People,ou=Email,o=CMS,c=US)
SMTP>> 421 mailman.cms-stl.com lost input connection
LOG: smtp_connection MAIN
SMTP connection from dhcp172-16-52-92.cms-stl.com (cms-stl.com) [172.16.52.92] lost
search_tidyup called
child 16434 ended: status=0x100
0 SMTP accept processes now running
Listening...

--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

Philip Hazel wrote:
>
> On Thu, 11 Jul 2002, David L. Harfst wrote:
>
> > ldap_default_servers is set. There is only one server.
> > Other LDAP calls, for address resolution/verification for
> > example, are working fine.
>
> <strawgrasp>
> Are you just starting trying to get authentication working? Did you add
> LDAP authentication to the configuration file and forget to HUP the
> daemon?
> </strawgrasp>

Nice try. Not the case. I'm killing and restarting the server every
time I make a config change.

>
> Try adding a server_debug_print option to the authenticator. At least
> that would confirm that you are seeing output from the configuration you
> think you are dealing with.

Okay. It prints "no".


--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

--
On Thu, Jul 11, 2002 at 08:14:42AM -0500, David L. Harfst wrote:

| ldap_default_servers is set. There is only one server.
| Other LDAP calls, for address resolution/verification for
| example, are working fine.
|
| Debug shows the following:
|
| SMTP<< AUTH PLAIN EncodedString==
| plain authenticator:
| $1 =
| $2 = username
| $3 = plntxtpswd
| expanded string: no
| SMTP>> 535 Incorrect authentication data
|
| Network sniffer shows no attempt to contact the LDAP server
| (which is on a different host).

Just some thoughts,

Have you tried explicitly stating the host in the authenticator? Eg :

server_condition = ${if ldapauth \
{user="uid=${quote_ldap:$2},ou=People,o=International Teams" \
pass="$3" \
ldap://deborah.iteams.org/} \
{yes} {no} }

This does in fact work for me (though I'm not actually using it now, I
did test it back when I started experimenting with AUTH and LDAP).


Have you tried putting a different string or a different query in,
just to get different results? What happens if you put
server_condition = ${if eq {$3} {secret} {yes}{no}}
and send 'secret' as the password? Does that work as expected?

-D

--

If we claim to be without sin, we deceive ourselves and the truth is not
in us.
I John 1:8

http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--

Derrick 'dman' Hudson wrote:
> Just some thoughts,
>
> Have you tried explicitly stating the host in the authenticator? Eg :
>
> server_condition = ${if ldapauth \
> {user="uid=${quote_ldap:$2},ou=People,o=International Teams" \
> pass="$3" \
> ldap://deborah.iteams.org/} \
> {yes} {no} }
>
> This does in fact work for me (though I'm not actually using it now, I
> did test it back when I started experimenting with AUTH and LDAP).
>
> Have you tried putting a different string or a different query in,
> just to get different results? What happens if you put
> server_condition = ${if eq {$3} {secret} {yes}{no}}
> and send 'secret' as the password? Does that work as expected?
>

It doesn't matter what I put in the query - it's not running
the query. It evaluates to false without even making the
LDAP call.


--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

Phillip helped me out with some debug statements in the code.

Turns out the problem was whitespace:
server_condition = ${if ldapauth { user="uid=...
^

It didn't like the space between the "{" and "user".


"David L. Harfst" wrote:
>
> Okay, I feel like beating my head against the wall.
>
> I'm trying to do LDAP authentication in Exim 4.0.5
>
> Here's my authenticators:
>
> # Authentication for PLAIN (Netscape)
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = ${if ldapauth \
> { user="uid=${quote_ldap:$2},ou=People,ou=Email,o=CMS,c=US" pass="$3" \
> ldap:///} {yes} {no} }
> server_set_id= uid=$1,ou=People,ou=Email,o=CMS,c=US
>
> # Authentication for LOGIN (Outlook)
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
> server_condition = ${if ldapauth \
> { user="uid=${quote_ldap:$1},ou=People,ou=Email,o=CMS,c=US" \
> pass="$2" \
> ldap:///} {yes} {no} }
> server_set_id= uid=$1,ou=People,ou=Email,o=CMS,c=US
>
> I've tried both of these, using Netscape 6.2.3 and Outlook Express
> respectively.
>
> Running the exim server with the debug flag shows that the
> server condition expands to "no", however, my LDAP server does
> not show any attempt at a connection. What am I doing
> wrong?
>
> One thing to note: I'm using $2 and $3 as the username and
> password. Debugging showed that $1 was blank, $2 contained
> the username and $3 contained the password. Seems contrary
> to the documentation.
>

--
David L. Harfst Computerized Medical Systems
Senior Systems Engineer St. Louis, Missouri
mailto:harfst@cms-stl.com http://www.cms-stl.com

On Fri, 12 Jul 2002, David L. Harfst wrote:

> It didn't like the space between the "{" and "user".

Needless to say, I'm going to fix this infelicity.

And also, the wider one - if it finds a syntax error, it should be
diagnosing it, not just silently yielding false. (Both these are
essentially typos in the code caused by thinkos in my brain.)

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.