From 450b99e971e227ef6523c5998abad026fdff78f9 Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Fri, 15 Feb 2008 13:19:30 +0000 Subject: [PATCH] Note an LDAP gotcha pointed out by Robert Bannocks. --- doc/doc-docbook/spec.xfpt | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 836142047..bc62a3732 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.35 2008/02/15 13:13:43 fanf2 Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.36 2008/02/15 13:19:30 fanf2 Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -23571,17 +23571,20 @@ login: driver = plaintext public_name = LOGIN server_prompts = Username:: : Password:: - server_condition = ${if ldapauth \ - {user="cn=${quote_ldap_dn:$auth1},ou=people,o=example.org" \ - pass=${quote:$auth2} \ - ldap://ldap.example.org/}} + server_condition = ${if and{{ + !eq{}{$auth1} }{ \ + ldapauth{user="cn=${quote_ldap_dn:$auth1},ou=people,o=example.org" \ + pass=${quote:$auth2} \ + ldap://ldap.example.org/} }} } server_set_id = uid=$auth1,ou=people,o=example.org .endd -Note the use of the &%quote_ldap_dn%& operator to correctly quote the DN for -authentication. However, the basic &%quote%& operator, rather than any of the -LDAP quoting operators, is the correct one to use for the password, because -quoting is needed only to make the password conform to the Exim syntax. At the -LDAP level, the password is an uninterpreted string. +We have to check that the username is not empty before using it, because LDAP +does not permit empty DN components. We must also use the &%quote_ldap_dn%& +operator to correctly quote the DN for authentication. However, the basic +&%quote%& operator, rather than any of the LDAP quoting operators, is the +correct one to use for the password, because quoting is needed only to make +the password conform to the Exim syntax. At the LDAP level, the password is an +uninterpreted string. -- 2.30.2