adam+oldap@p3mammoth.com wrote:
I've installed openldap-2.0.27-8, courier-imap-1.7.3-1.9
and courier-imap-ldap-1.7.3-1.9 on RedHat 9.
First I configured slapd.conf. I've successfully got my system
authenticated (with PAM) through my LDAP server. However, when I
tried to get Courier-imap to auth through the server, nothing I did
seems to work.
Before reading further, let me tell you what is happening. I start
slapd as below so I can watch whats happening.
slapd -d 1 -h "ldap:// ldaps://"
When I start courier-imap (service courier-imap start) I can see it
talking to the ldap server. I can see it binding too.
====> cache_return_entry_r( 2 ): created (0)
do_bind: v3 bind: "cn=Manager,dc=Kittredge,dc=com" to
"cn=Manager,dc=Kittredge,dc=com"
I've configured pine (same machine) for a user who I've already
confirmed can log in to the machine via ldap authentication. When I
run pine, I get the self-signed cert warning (which is fine), and I
see more activity in the slapd trace, though it doesn't seem to find
the user (my interpretation). My theory is that authldap is not
sending the proper information to retrieve the correct record. All I
can make out is it binding again Another problem I have is really
confirming that courier is really totally using my authldaprc. Even
when I added 'LDAP_FILTER (objectClass=posixAccount)', there is no
indication in the slapd trace that it is trying to use that filter.
Is it possible that it is using my /etc/openldap/ldap.conf or some
other file?
I'm not exactly sure what LDAP_MAIL should be set to. The default is
mail, and I do have that attribute set in the users ldap record. I'm
not sure if LDAP_MAIL is what is used for the ldap search or not.
I've also tried uid as the value.
Here's some pertinent info.
==>/usr/lib/courier-imap/etc/imapd
>
AUTHMODULES="authdaemon"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN"
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAPDSTART=YES
==>/usr/lib/courier-imap/etc/authdaemondrc
authmodulelist="authldap"
==>/usr/lib/courier-imap/etc/authldaprc
LDAP_SERVER kittredge.cnation.com
LDAP_PORT 389
LDAP_BASEDN dc=Kittredge, c=com
LDAP_BINDDN cn=Manager,dc=Kittredge, c=com
LDAP_BINDPW secret
LDAP_MAIL mail
LDAP_DOMAIN kittredge.com
LDAP_HOMEDIR homeDirectory
LDAP_MAILDIR mailDir
LDAP_DEFAULTDELIVERY defaultDelivery
LDAP_FULLNAME cn
#LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword
LDAP_UID uidNumber
LDAP_GID gidNumber
LDAP_TLS 1
==>/etc/openldap/slapd.conf
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
database ldbm
suffix "dc=Kittredge,dc=com"
suffix "o=Kittredge Sports,c=US"
rootdn "cn=Manager,dc=Kittredge,dc=com"
rootpw secret
==>/etc/openldap/ldap.conf
HOST kittredge.cnation.com
BASE dc=Kittredge,dc=com
binddn cn=Manager,dc=Kittredge,dc=com
bindpw secret
port 636
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_crypt local
ssl yes
Keep in mind I've verified the ldap server is working and responding
by getting server authentication working through ldap as well as
doing ldapsearches from other machines (via ldaps) successful.
>
The traces are quite long, so I've saved them to a file and posted
them to my website if your interested. The first one is what is spit
out by slapd right after I start courier-imap. The second one is
what is spit out by slapd right after I run pine as a valid user on
the same machine as pine displays the self-signed certificate warning.
http://adam.ninth.org/starttrace.txt
http://adam.ninth.org/logintrace.txt
I've been banging my head against this for over 8 hours, I'd really
appreciate any help I can get.
Thanks,
Adam
http://adam.ninth.org
Hi Adam,
I feel your pain <grin>. I am in the process of testing this new
setup for my production email system (Sendmail/Courier-IMAP/LDAP). It
was a handful. The hardest part was ruling out which process is
operating
correctly and which is mis/unconfigured. In regards to your situation,
the clue is that PAM-LDAP is authenticating. Also the Courier-IMAP
daemon
seems to bind to LDAP. I'm not sure LDAP is the problem. Courier-IMAP
uses
the Maildir format (Mail directories instead of the single file mbox
format)
for the users email. If that directory structure is unavailable, the
IMAP/POP3 connection will shutdown immediately while trying to
authenticate.
There is an utility for creating user Maildir's called
'/usr/bin/maildirmake'.
I would also use telnet to the IMAP/POP3 servers to test the connection
rather
than Pine. POP3 commands are easier to test from a terminal session.
Also,
I think OpenLDAP debug level 256 (connections/operations/results) will
give
you a nice search base to use in ldapsearch to test your LDAP
authentication
queries. I also found OpenLDAP 2.17+ much tighter than the OpenLDAP 2.0x
rpm
packages. Good luck!
Hope this helps,
Ken
BTW: This is what I mean by telnet to the Courier POP3 daemon (replace
localhost
with your domainname if needed). You should be able to test/retrieve
your email
this way.
telnet localhost 110 [Client]
+OK [Server]
USER login [C]
+OK ..[S]
PASS yourpasswd [C}
+OK ...[S}
LIST [C]
...
QUIT [C]
--
_________________________________
Ken Sorensen <ken@e-sorensen.com>