Here is it, using 'foo' as both account and password:
14:16:37 121712 login authenticator server_condition:
14:16:37 121712 $auth1 = foo
14:16:37 121712 $auth2 = foo
14:16:37 121712 $1 = foo
14:16:37 121712 $2 = foo
14:16:37 121712 ╭considering: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ╭considering: }{$auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ├──expanding:
14:16:37 121712 ╰─────result:
14:16:37 121712 ╭considering: $auth1} } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ├──────value: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 ├considering: } } { ldapauth { user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ├──expanding: $auth1
14:16:37 121712 ╰─────result: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 ╭considering: user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ├───────text: user=
14:16:37 121712 ├considering: ${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ╭considering:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ├───────text:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=
14:16:37 121712 ├considering: ${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ╎╭considering: $auth1})}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }
14:16:37 121712 ╎├──────value: foo
14:16:37 121712 ╎ ╰──(tainted)
14:16:37 121712 ╎├considering: })}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }
14:16:37 121712 ╎├──expanding: $auth1
14:16:37 121712 ╎╰─────result: foo
14:16:37 121712 ╎ ╰──(tainted)
14:16:37 121712 ├─────op-res: foo
14:16:37 121712 ╰──(tainted, quoted:ldap)
14:16:37 121712 ├considering: )}} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }
14:16:37 121712 ├───────text: )
14:16:37 121712 ├considering: }} pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }
14:16:37 121712 ├──expanding:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})
14:16:37 121712 ╰─────result:
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)
14:16:37 121712 ╰──(tainted, quoted:ldap)
14:16:37 121712 search_open: ldapdn "NULL"
14:16:37 121712 search_find: file="NULL"
14:16:37 121712
key="user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
partial=-1 affix=NULL starflags=0 opts=NULL
14:16:37 121712 LRU list:
14:16:37 121712 :/etc/exim/dropped_helo_names
14:16:37 121712 End
14:16:37 121712 internal_search_find: file="NULL"
14:16:37 121712 type=ldapdn
key="user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
opts=NULL
14:16:37 121712 database lookup required for
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)
14:16:37 121712 (tainted, quoted:ldap)
14:16:37 121712 LDAP parameters:
user=CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
pass=password size=0 time=0 connect=0 dereference=0 referrals=on
14:16:37 121712 perform_ldap_search: ldapdn URL = "ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=foo)"
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
14:16:37 121712 after ldap_url_parse: host=auth.example.com port=636
14:16:37 121712 ldap_initialize with URL ldaps://auth.example.com:636/
14:16:37 121712 initialized for LDAP (v3) server auth.example.com:636
14:16:37 121712 LDAP_OPT_X_TLS_HARD set due to ldaps:// URI
14:16:37 121712 binding with
user=CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com
password=password
14:16:37 121712 Start search
14:16:37 121712 search ended by ldap_result yielding 101
14:16:37 121712 ldap_parse_result: 0
14:16:37 121712 ldap_parse_result yielded 0: Success
14:16:37 121712 LDAP search: no results
14:16:37 121712 creating new cache entry
14:16:37 121712 lookup failed
14:16:37 121712 ├───item-res:
14:16:37 121712 ├considering: pass=${quote:$auth2} ldaps://
auth.example.com/ } } } }
14:16:37 121712 ├───────text: pass=
14:16:37 121712 ├considering: ${quote:$auth2} ldaps://auth.example.com/ }
} } }
14:16:37 121712 ╭considering: $auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ├──────value: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 ├considering: } ldaps://auth.example.com/ } } } }
14:16:37 121712 ├──expanding: $auth2
14:16:37 121712 ╰─────result: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 ├─────op-res: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 ├considering: ldaps://auth.example.com/ } } } }
14:16:37 121712 ├───────text: ldaps://auth.example.com/
14:16:37 121712 ├considering: } } } }
14:16:37 121712 ├──expanding: user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/
14:16:37 121712 ╰─────result: user= pass=foo ldaps://auth.example.com/
14:16:37 121712 ╰──(tainted)
14:16:37 121712 LDAP parameters: user= pass=foo size=0 time=0 connect=0
dereference=0 referrals=on
14:16:37 121712 perform_ldap_search: ldapauth URL = "ldaps://
auth.example.com/ " server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
14:16:37 121712 after ldap_url_parse: host=auth.example.com port=636
14:16:37 121712 re-using cached connection to LDAP server
auth.example.com:636
14:16:37 121712 re-binding with user= password=foo
14:16:37 121712 Bind succeeded: ldapauth returns OK
14:16:37 121712 ├──condition: and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } }
14:16:37 121712 ├─────result: true
14:16:37 121712 ├──expanding: ${if and{ { !eq{}{$auth1} } { ldapauth {
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
pass=${quote:$auth2} ldaps://auth.example.com/ } } } }
14:16:37 121712 ╰─────result: true
14:16:37 121712 expanded string: true
14:16:37 121712 ╭considering: $auth1
14:16:37 121712 ├──────value: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 ├──expanding: $auth1
14:16:37 121712 ╰─────result: foo
14:16:37 121712 ╰──(tainted)
14:16:37 121712 SMTP>> 235 Authentication succeeded
14:16:37 121712 tls_write(0x56246e2fd368, 30)
14:16:37 121712 SSL_write(0x56246e60e870, 0x56246e2fd368, 30)
14:16:37 121712 outbytes=30 error=0
14:16:37 121712 Calling SSL_read(0x56246e60e870, 0x56246e611768, 4096)
On Thu, Apr 10, 2025 at 2:12 PM Jeremy Harris via Exim-users <
[email protected]> wrote:
> On 2025/04/10 6:29 PM, Johnnie W Adams via Exim-users wrote:
> > server_condition = ${if and{ \
> > { !eq{}{$auth1} } \
> > { ldapauth { \
> > user=${lookup
> >
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> > pass="password" ldaps://
> >
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})
> <http://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=$%7Bquote_ldap_dn:$auth1%7D)>
> }}
> > \
> > pass=${quote:$auth2} \
> > ldaps://auth.example.com/ \
> > } \
> > } \
> > } \
> > }
>
> Okay, so there's two LDAP accesses being done for the server_condition - a
> lookup expansion
> and an ldapauth condition - and we've only seen one in debug output, and
> mentioned only in string-expansion.
> I agree with Evgeniy: need more debug. Try again with "+all" - and don't
> trim the start
> and end too harshly.
>
> > I'm unsure how much of the exim.conf file you'd like me to post
>
> The authenticator config was the important bit, so be have that now.
> --
> Cheers,
> Jeremy
>
> --
> ## subscription configuration (requires account):
> ##
> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ## [email protected]
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | [email protected] | http://ualr.edu/itservices
*UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
