[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x

Hello David,

have thought about another solution:

OpenLDAP 2.0., Cyrus-IMAP 2.0.16 and Cyrus-Sasl 1.5.24 (with ldap-search.patch
from http://www.surf.org.uk ) ?

I attached you out cookbook for this solution.

Regards,
Dirk

Rein Tollevik schrieb:

> On Mon, 6 Aug 2001, David Wright wrote:
>
> > I and quite a few other users of the cyrus-imapd system have found a
> > problem which occurs exclusively when we authenticate using the PAM
> > module pam_ldap linked against the OpenLDAP 2.0.x libraries. I am
> > writing to ask whether this bug and any potential solutions are known to
> > the wider OpenLDAP and pam_ldap communities.
> >
> > The basic problem is that, with the authentication scheme mentioned,
> > imapd segfaults when pam_ldap returns success. Like anyone presented
> > with this problem, I initially presumed the problem lay with cyrus-imapd
> > (or with the cyrus-sasl library it uses). More careful investigation
> > tends to case suspicion elsewhere:
>
> I'm quite sure this problems is within the cyrus-sasl 1.5.x library,
> and is, as was mentioned by somebody else on the OpenLDAP list, related
> to the memory allocations done within the cyrus-sasl library.
>
> When cyrus-imapd starts, it sets the memory allocation functions for the
> sasl library using sasl_set_alloc(), calls sasl_server_init() and starts
> using the library functions.   When the sasl library is configured to
> use pam, which again uses pam_ldap, the OpenLDAP 2.x library is loaded.
> This library also calls sasl_set_alloc(), followed by sasl_client_init().
> Now the sasl library behaves as a client (from within the ldap library),
> memory is (de)allocated using the memory management functions installed by
> the OpenLDAP library, and everything still works as it should.
>
> The problem arises when pam_ldap returns to the sasl library, now acting
> as a server again.  It deallocates the memory it previously allocated
> (which was done with the functions installed by imapd), but this is now
> done with the incompatible functions installed by the OpenLDAP library,
> and havoc breaks lose.
>
> A real fix would involve a redesign of the sasl library.  At least it
> should have separate sets of server- and client global variables, or
> preferable, store everything it needs in a context created by the
> sasl_*_init() functions.  No, I haven't looked at the 2.x version
> of the library, so I don't know if something like this is what we might
> expect there.  And no, I won't disagree with anyone stating that calls
> to sasl_set_alloc() are best left to the application and should not be
> done by libraries.
>
> In the mean time, you may try the patch to the sasl 1.5.24 library I have
> attached.  In effect, it makes sasl_set_alloc() a one-time-only function
> that must be called before sasl_*_init().  We have been using the
> cyrus-imapd-2.x, cyrus-sasl-1.5.x, pam_ldap, nss_ldap and OpenLDAP 2.x
> combination on 64bit Solaris8 systems for some time now without any big
> problems.
>
> Apply the patch from the top of the cyrus-sasl-1.5.24 directory, with
> the -p3 option to the patch program.
>
> --
> Rein Tollevik                           Email: rein@basefarm.no
> Senior System Administrator             Phone: +47 22 95 81 96
> Basefarm AS                             Fax:   +47 22 95 82 10
>
>   ------------------------------------------------------------------------
>                               Name: cyrus-sasl-1.5.24.patch
>    cyrus-sasl-1.5.24.patch    Type: Plain Text (TEXT/PLAIN)
>                           Encoding: BASE64

--
Dirk Datzert

Rasselstein Hoesch GmbH
Informatik / Anwendungsentwicklung
D-56626 Andernach
Koblenzer Strasse 141

http://www.rasselstein-hoesch.de

Tel.: +49 (0) 2631 81-4595
Fax.: +49 (0) 2631 81-15-4595
mailto:Dirk.Datzert@rasselstein-hoesch.de


Author:		Dirk Datzert
Mail:		dirk@datzert.de
Date:		18. August 2001

This cookbook is for a SuSE 7.0 linux system and tested with kernel 2.2.19

1. Download the required Source-Distributions of:
	BerkeleyDB 3.2.9 	http://www.sleepycat.com
	Cyrus-Sasl 1.5.24	http://asg.web.cmu.edu/sasl
	Sasl-ldap_search.patch	http://www.surf.org.uk
	OpenLDAP 2.0.11		http://www.openldap.org
	Postfix 20010228 	http://www.postfix.org (Patchlevel 1,2,3,4)
	Cyrus-Imapd 2.0.16	http://asg.web.cmu.edu/cyrus
	[Autoresponder		http://freshmeat.net (search for autoresponder)]

2. Put the Source-Distributions into your SOURCE directory of your SuSE distribution (normally /usr/src/packages/SOURCES)

3. Build the BerkeleyDB-RPM first and install it (db-3.2.9 only):

	cd /usr/src/packages/SPECS
	rpm -ba db.spec

	cd /usr/src/packages/RPMS/i386
	rpm -ivh --force db-3.2.9.i386.rpm (remember that your libdb.a and libdb.so files will be changed !)

4. Build the Cyrus-Sasl-RPM first without LDAP-Support:

	cd /usr/src/packages/SPECS
	rpm -ba cyrus-sasl.spec

	cd /usr/src/packages/RPMS/i386
	rpm -ivh cyrus-sasl-1.5.24-x.i386.rpm

5. Build the OpenLDAP-RPM next and install it:

	cd /usr/src/packages/SPECS
	rpm -ba openldap2.spec

	cd /usr/src/packages/RPMS/i386
	rpm -ivh openldap2-client-2.0.11-x.i386.rpm
	rpm -ivh openldap2-2.0.11-x.i386.rpm
	rpm -ivh openldap2-devel-2.0.11-x.i386.rpm

6. Rebuild the Cyrus-Sasl-RPM now with LDAP-Support:

	cd /usr/src/packages/SPECS
	rpm -ba cyrus-sasl.spec

	cd /usr/src/packages/RPMS/i386
	rpm -ivh --force cyrus-sasl-1.5.24-x.i386.rpm

7. Build the Postfix-RPM next and install it:

	cd /usr/src/packages/SPECS

	edit postfix.spec line 12 and set patchlevel to:

	%define patchlevel pl01   or
	%define patchlevel pl02   (acording to the patchlevel of your source)

	rpm -ba postfix.spec

	cd /usr/src/packages/RPMS/i386
	rpm -ivh postfix-20010228-x.i386.rpm   or
	rpm -Uvh postfix-20010228-x.i386.rpm   (for upgrade a previous installed version)

7.1 Test the standard function of Postfix:

	myhostname = {your-hostname.your-domain.your-tld}
	mydomain = {your-domain.your-tld}

8. Build the Cyrus-Imapd-RPM:

	cd /usr/src/packages/SPECS
	rpm -ba cyrus-imapd.spec

	cd /usr/src/packages/RPMS/i386
	rpm -ivh cyrus-imapd-2.0.12-x.i386.rpm

9. Install the xautoresponder and xcyrus into /usr/bin/ directory (only if you want to use these tools !)

	mkdir /var/imap/vacationdb
	chown cyrus.mail /var/imap/vacationdb

10. Edit LDAPVERS for LDAP Version in file /usr/bin/xcyrus:
   LDAPVERS = "openldap" for use with OpenLDAP 1.2.11
   LDAPVERS = "openldap2" for usr with OpenLDAP 2.0.11

11. Install the main.cf and master.cf into /etc/postfix/ directory 

12. Edit the main.cf as follows:

	myhostname = {your-hostname.your-domain.your-tld}
	mydomain = {your-domain.your-tld}
	mailbox_transport = xcyrus or cyrus or lmtp:... (choose your favorite transport type !)
		see troubleshooting if you use lmtp:... !
	virtual_maps = ldap:virtual or remove these directive if you have no virtual-support via ldap
	virtual_search_base = {your-ldap-search-base} (only for virtual-support via ldap)
	biff = no

13. Edit the /etc/syslog.conf as follows:

	local6.debug 	-/var/log/imapd.log
	auth.debug	-/var/log/auth.log
	mail.*		-/var/log/mail

	and restart syslogd

	rcsyslog restart

14. Edit the /etc/imapd.conf as follows:

	sasl_pwcheck_method: ldap
	sasl_ldap_basedn: {your-ldap-search-base}
	sasl_ldap_filter: ({your-ldap-search-filter})
	
15. Run SuSEconfig:

	/sbin/SuSEconfig

16. Start Cyrus-Imapd:

	rccyrus start

17. Start Cyrus-Administration and create first IMAP/POP users:

	cyradm
		connect localhost
		cm user.{your-username1}
		cm user.{your-username2}
		quit

18. Start Postfix:

	rcpostfix start

19. Test with a simple mail:

	mail {user} < /etc/issue

20. Watch the logfiles for errors

21. If every works fine you can activate to autostart feature in /etc/rc.config:

	START_POSTFIX=yes
	START_CYRUS=yes

22. Troubleshooting:

   -	if you use lmtp:unix:/var/imap/socket/ltmp and you got a connection refused error
	look for the unix worldable rights at 

	ls -l /var | grep imap

	should output:

 	drwxr-x--x cyrus mail    imap 

   	if there is no x-right for the world then set x-right:

	chmod o+x /var/imap 

   -	if your LDAP data was migrated from Netscape Directory Server check to following
	patch for /etc/openldap/schema/core.schema:

########################################################
--- core.schema.default	Sat Aug 18 23:42:23 2001
+++ core.schema	Sat Aug 18 23:46:25 2001
@@ -423,8 +423,8 @@
 		cACertificate ) MAY crossCertificatePair )
 
 objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL
-	MUST ( uniqueMember $ cn )
-	MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+	MUST ( cn )
+	MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
 
 objectclass ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY
 	MAY ( supportedAlgorithms ) )

########################################################

	and set the configuration in /etc/openldap/slapd.conf:

########################################################
--- slapd.conf.default	Sat Aug 18 23:42:23 2001
+++ slapd.conf	Sun Aug 19 12:29:14 2001
@@ -4,6 +4,10 @@
 # This file should NOT be world readable.
 #
 include		/etc/openldap/schema/core.schema
+include		/etc/openldap/schema/cosine.schema
+include		/etc/openldap/schema/inetorgperson.schema
+include		/etc/openldap/schema/nis.schema
+include		/etc/openldap/schema/netscape.schema
 
 # Define global ACLs to disable default read access.
 
########################################################

Attachment: smime.p7s
Description: Kryptographische Unterschrift mit S/MIME