So the bind authorization is succeeding, which leaves me with the question
of why I can do a 'real' authentication with the account 'foo' and the
password 'foo':
10:37:07 120872 ├──expanding: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
10:37:07 120872 ╰─────result: true
10:37:07 120872 expanded string: true
10:37:07 120872 ╭considering: $auth1
10:37:07 120872 ├──────value: foo
10:37:07 120872 ╰──(tainted)
10:37:07 120872 ├──expanding: $auth1
10:37:07 120872 ╰─────result: foo
10:37:07 120872 ╰──(tainted)
10:37:07 120872 SMTP>> 235 Authentication succeeded
On Thu, Apr 10, 2025 at 9:31 AM Jeremy Harris via Exim-users <
[email protected]> wrote:
> On 2025/04/10 3:00 PM, Johnnie W Adams via Exim-users wrote:
> > I don't know how much of the configuration you want to see, but here's
> the
> > lookup:
> >
> > user=${lookup
> >
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> > pass="password" ldaps://
> >
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})
> <http://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=$%7Bquote_ldap_dn:$auth1%7D)>
> }}
> > \
> >
> > pass=${quote:$auth2} \
> >
> > ldaps://auth.example.com/ \
>
> If you want to see what happened with that lookup, use Exim's debug
> facilities.
> If it's a busy exim daemon you'll be best off with ACL-triggered debug;
> if it's only you then just run the daemon with a command-line option for
> debug.
> --
> Cheers,
> Jeremy
>
> --
> ## subscription configuration (requires account):
> ##
> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ## [email protected]
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | [email protected] | http://ualr.edu/itservices
*UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
