On Wed, Apr 16, 2025 at 4:56 PM Jeremy Harris via Exim-users <
[email protected]> wrote:
> On 2025/04/16 4:38 PM, Johnnie W Adams via Exim-users wrote:
>
> > 10:27:42 160885 re-binding with user=1 password=inner_password
>
> we move on to the "ldapauth" operation. That "1" you arranged to return
> from the
> inner lookup is used here, for "user=1". This feels bogus, but results
> from
> your coding of the config.
>
> > 10:27:42 160885 Invalid credentials: ldapauth returns FAIL
>
> ... and it fails. Is this what you wanted?
Honestly, I was flailing around, trying to mitigate the issue, but I think
that's a fool's errand. I'm abandoning trying to make this syntax work.
So I have two questions.
The first is, if this is CVE-worthy, who takes that forward?
The second is, in the meantime, I've got a very small number of users which
need authentication--less than a dozen. I'm thinking about installing some
sort of local authentication--maybe gdbm. Is that a reasonable path to take?
Thanks,
John A
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
