Hello David, have thought about another solution: OpenLDAP 2.0., Cyrus-IMAP 2.0.16 and Cyrus-Sasl 1.5.24 (with ldap-search.patch from http://www.surf.org.uk ) ? I attached you out cookbook for this solution. Regards, Dirk Rein Tollevik schrieb: > On Mon, 6 Aug 2001, David Wright wrote: > > > I and quite a few other users of the cyrus-imapd system have found a > > problem which occurs exclusively when we authenticate using the PAM > > module pam_ldap linked against the OpenLDAP 2.0.x libraries. I am > > writing to ask whether this bug and any potential solutions are known to > > the wider OpenLDAP and pam_ldap communities. > > > > The basic problem is that, with the authentication scheme mentioned, > > imapd segfaults when pam_ldap returns success. Like anyone presented > > with this problem, I initially presumed the problem lay with cyrus-imapd > > (or with the cyrus-sasl library it uses). More careful investigation > > tends to case suspicion elsewhere: > > I'm quite sure this problems is within the cyrus-sasl 1.5.x library, > and is, as was mentioned by somebody else on the OpenLDAP list, related > to the memory allocations done within the cyrus-sasl library. > > When cyrus-imapd starts, it sets the memory allocation functions for the > sasl library using sasl_set_alloc(), calls sasl_server_init() and starts > using the library functions. When the sasl library is configured to > use pam, which again uses pam_ldap, the OpenLDAP 2.x library is loaded. > This library also calls sasl_set_alloc(), followed by sasl_client_init(). > Now the sasl library behaves as a client (from within the ldap library), > memory is (de)allocated using the memory management functions installed by > the OpenLDAP library, and everything still works as it should. > > The problem arises when pam_ldap returns to the sasl library, now acting > as a server again. It deallocates the memory it previously allocated > (which was done with the functions installed by imapd), but this is now > done with the incompatible functions installed by the OpenLDAP library, > and havoc breaks lose. > > A real fix would involve a redesign of the sasl library. At least it > should have separate sets of server- and client global variables, or > preferable, store everything it needs in a context created by the > sasl_*_init() functions. No, I haven't looked at the 2.x version > of the library, so I don't know if something like this is what we might > expect there. And no, I won't disagree with anyone stating that calls > to sasl_set_alloc() are best left to the application and should not be > done by libraries. > > In the mean time, you may try the patch to the sasl 1.5.24 library I have > attached. In effect, it makes sasl_set_alloc() a one-time-only function > that must be called before sasl_*_init(). We have been using the > cyrus-imapd-2.x, cyrus-sasl-1.5.x, pam_ldap, nss_ldap and OpenLDAP 2.x > combination on 64bit Solaris8 systems for some time now without any big > problems. > > Apply the patch from the top of the cyrus-sasl-1.5.24 directory, with > the -p3 option to the patch program. > > -- > Rein Tollevik Email: rein@basefarm.no > Senior System Administrator Phone: +47 22 95 81 96 > Basefarm AS Fax: +47 22 95 82 10 > > ------------------------------------------------------------------------ > Name: cyrus-sasl-1.5.24.patch > cyrus-sasl-1.5.24.patch Type: Plain Text (TEXT/PLAIN) > Encoding: BASE64 -- Dirk Datzert Rasselstein Hoesch GmbH Informatik / Anwendungsentwicklung D-56626 Andernach Koblenzer Strasse 141 http://www.rasselstein-hoesch.de Tel.: +49 (0) 2631 81-4595 Fax.: +49 (0) 2631 81-15-4595 mailto:Dirk.Datzert@rasselstein-hoesch.de
Author: Dirk Datzert Mail: dirk@datzert.de Date: 18. August 2001 This cookbook is for a SuSE 7.0 linux system and tested with kernel 2.2.19 1. Download the required Source-Distributions of: BerkeleyDB 3.2.9 http://www.sleepycat.com Cyrus-Sasl 1.5.24 http://asg.web.cmu.edu/sasl Sasl-ldap_search.patch http://www.surf.org.uk OpenLDAP 2.0.11 http://www.openldap.org Postfix 20010228 http://www.postfix.org (Patchlevel 1,2,3,4) Cyrus-Imapd 2.0.16 http://asg.web.cmu.edu/cyrus [Autoresponder http://freshmeat.net (search for autoresponder)] 2. Put the Source-Distributions into your SOURCE directory of your SuSE distribution (normally /usr/src/packages/SOURCES) 3. Build the BerkeleyDB-RPM first and install it (db-3.2.9 only): cd /usr/src/packages/SPECS rpm -ba db.spec cd /usr/src/packages/RPMS/i386 rpm -ivh --force db-3.2.9.i386.rpm (remember that your libdb.a and libdb.so files will be changed !) 4. Build the Cyrus-Sasl-RPM first without LDAP-Support: cd /usr/src/packages/SPECS rpm -ba cyrus-sasl.spec cd /usr/src/packages/RPMS/i386 rpm -ivh cyrus-sasl-1.5.24-x.i386.rpm 5. Build the OpenLDAP-RPM next and install it: cd /usr/src/packages/SPECS rpm -ba openldap2.spec cd /usr/src/packages/RPMS/i386 rpm -ivh openldap2-client-2.0.11-x.i386.rpm rpm -ivh openldap2-2.0.11-x.i386.rpm rpm -ivh openldap2-devel-2.0.11-x.i386.rpm 6. Rebuild the Cyrus-Sasl-RPM now with LDAP-Support: cd /usr/src/packages/SPECS rpm -ba cyrus-sasl.spec cd /usr/src/packages/RPMS/i386 rpm -ivh --force cyrus-sasl-1.5.24-x.i386.rpm 7. Build the Postfix-RPM next and install it: cd /usr/src/packages/SPECS edit postfix.spec line 12 and set patchlevel to: %define patchlevel pl01 or %define patchlevel pl02 (acording to the patchlevel of your source) rpm -ba postfix.spec cd /usr/src/packages/RPMS/i386 rpm -ivh postfix-20010228-x.i386.rpm or rpm -Uvh postfix-20010228-x.i386.rpm (for upgrade a previous installed version) 7.1 Test the standard function of Postfix: myhostname = {your-hostname.your-domain.your-tld} mydomain = {your-domain.your-tld} 8. Build the Cyrus-Imapd-RPM: cd /usr/src/packages/SPECS rpm -ba cyrus-imapd.spec cd /usr/src/packages/RPMS/i386 rpm -ivh cyrus-imapd-2.0.12-x.i386.rpm 9. Install the xautoresponder and xcyrus into /usr/bin/ directory (only if you want to use these tools !) mkdir /var/imap/vacationdb chown cyrus.mail /var/imap/vacationdb 10. Edit LDAPVERS for LDAP Version in file /usr/bin/xcyrus: LDAPVERS = "openldap" for use with OpenLDAP 1.2.11 LDAPVERS = "openldap2" for usr with OpenLDAP 2.0.11 11. Install the main.cf and master.cf into /etc/postfix/ directory 12. Edit the main.cf as follows: myhostname = {your-hostname.your-domain.your-tld} mydomain = {your-domain.your-tld} mailbox_transport = xcyrus or cyrus or lmtp:... (choose your favorite transport type !) see troubleshooting if you use lmtp:... ! virtual_maps = ldap:virtual or remove these directive if you have no virtual-support via ldap virtual_search_base = {your-ldap-search-base} (only for virtual-support via ldap) biff = no 13. Edit the /etc/syslog.conf as follows: local6.debug -/var/log/imapd.log auth.debug -/var/log/auth.log mail.* -/var/log/mail and restart syslogd rcsyslog restart 14. Edit the /etc/imapd.conf as follows: sasl_pwcheck_method: ldap sasl_ldap_basedn: {your-ldap-search-base} sasl_ldap_filter: ({your-ldap-search-filter}) 15. Run SuSEconfig: /sbin/SuSEconfig 16. Start Cyrus-Imapd: rccyrus start 17. Start Cyrus-Administration and create first IMAP/POP users: cyradm connect localhost cm user.{your-username1} cm user.{your-username2} quit 18. Start Postfix: rcpostfix start 19. Test with a simple mail: mail {user} < /etc/issue 20. Watch the logfiles for errors 21. If every works fine you can activate to autostart feature in /etc/rc.config: START_POSTFIX=yes START_CYRUS=yes 22. Troubleshooting: - if you use lmtp:unix:/var/imap/socket/ltmp and you got a connection refused error look for the unix worldable rights at ls -l /var | grep imap should output: drwxr-x--x cyrus mail imap if there is no x-right for the world then set x-right: chmod o+x /var/imap - if your LDAP data was migrated from Netscape Directory Server check to following patch for /etc/openldap/schema/core.schema: ######################################################## --- core.schema.default Sat Aug 18 23:42:23 2001 +++ core.schema Sat Aug 18 23:46:25 2001 @@ -423,8 +423,8 @@ cACertificate ) MAY crossCertificatePair ) objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL - MUST ( uniqueMember $ cn ) - MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) + MUST ( cn ) + MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectclass ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY MAY ( supportedAlgorithms ) ) ######################################################## and set the configuration in /etc/openldap/slapd.conf: ######################################################## --- slapd.conf.default Sat Aug 18 23:42:23 2001 +++ slapd.conf Sun Aug 19 12:29:14 2001 @@ -4,6 +4,10 @@ # This file should NOT be world readable. # include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/netscape.schema # Define global ACLs to disable default read access. ########################################################
Attachment:
smime.p7s
Description: Kryptographische Unterschrift mit S/MIME