# This file is managed by Helm
#
# LDAP authentication for clients to authenticate to exim
#

# See https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html

# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.
#
# ldap_plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $auth2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
#   .endif

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.
#
ldap_login_server:
  # This basically tries to authenticate to the LDAP server using
  # the credentials supplied by the user.  Some slight gymnastics
  # are required to translate the user name (as supplied by the
  # user) into a DN which can be used for authentication.
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"

  # This will only be emitted when authentication debugging is enabled (i.e. when `-d+auth` is given to `/run-exim`)
  server_debug_print = Found User <<${lookup ldapdn{\
                                                      {{- if .Values.ldap.auth.enabled }}
                                                      user=${quote_ldap:${env{LDAP_USER}{$value} fail }} \
                                                      pass=${quote_ldap:${env{LDAP_PASSWORD}{$value} fail }} \
                                                      {{- end }}
                                                      ldap:///LDAP_BASE??sub?\
                                                      (&\
                                                        ({{ .Values.ldap.uidAttribute }}=${quote_ldap:${sg{$auth1}{\n}{}}})\
                                                        ({{ .Values.ldap.userFilter }})\
                                                      )\
                                                     } \
                                       }>>

  server_condition = ${if \
         ldapauth{\
                   user="${lookup ldapdn{\
                                           {{- if .Values.ldap.auth.enabled }}
                                           user=${quote_ldap:${env{LDAP_USER}{$value} fail }} \
                                           pass=${quote_ldap:${env{LDAP_PASSWORD}{$value} fail }} \
                                           {{- end }}
                                           ldap:///LDAP_BASE??sub?\
                                           (&\
                                             ({{ .Values.ldap.uidAttribute }}=${quote_ldap:${sg{$auth1}{\n}{}}})\
                                             ({{ .Values.ldap.userFilter }})\
                                           )\
                                        }\
                          }" \
                   pass=${quote:${sg{$auth2}{\n}{}}} \
                   ldap:///LDAP_BASE \
                   } \
       }
  server_set_id = ${sg{$auth1}{\n}{}}

  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  .endif

# cram_md5_server:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
#   server_set_id = $auth1

# Local Variables:
# mode: conf-space
# compile-command: "make -C ../../../.. diff"
# End:
