[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: 2.1.23 w/ StartTLS not authenticating Courier-IMAP
Hello, Tony. Thanks for this. I had also begun to suspect the problem was not entirely
with openldap, since I also did not see any obvious errors. After ruling out openldap, I
focused on the courier-imap configs, and after some trial and error, I figured out the
problem.
FYI, it turns out the "LDAP_MAIL" setting in the authldaprc file for Courier-IMAP's
authdaemond program needs to be set to the effective username of the LDAP entry, *not* the
FQDN email address, as I'd thought (so just 'adamtheo' instead of
'adamtheo@new.theoretic.com'). Since the default value for this setting was the LDAP
'mail' attribute, and I had my 'mail' attribute set to the FQDN email addy for the entry,
Courier-IMAP was rejecting all connections to this user. I decided to keep the LDAP
attribute of 'mail' as the FQDN email addy since this is what I've seen it used in all
LDAP docs, and changed the LDAP_MAIL setting of authldaprc to 'uid', instead.
It works now. Thanks anyway. At least this assured me the problem was not with openldap,
and forced me to mess around with Courier-IMAP.
On Fri, Jan 02, 2004 at 01:58:27PM +0100, Tony Earnshaw wrote:
> fre, 02.01.2004 kl. 12.47 skrev Adam:
>
> > I'll compare your debug and setup to mine tonight, but to let you know of a couple of
> > things:
> >
> > Postfix is working fine. I can receive emails and they are deposited in each user's
> > Maildir as intended. Postfix also uses the LDAP directory over tcp/389 (I believe even
> > StartTLS, although it could be unencrypted right now).
> >
> > Here are my debug logs re-done in level 256 upon an attempted connection under the same
> > circumstances as before (Warning, there's a whole bunch):
>
> Looks o.k. to me. You get a bunch of nentries=1:
>
> > Jan 2 11:41:43 new slapd[5967]: conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> which means that the record's being found by the search filter. And the
> results look like mine - you're also using Posix account users.
>
> Looks like a Courier thing from now on. I'll just give you the following
> lines from my /usr/lib/courier-imap/etc/authldaprc, then you'll have to
> take it to the Courier list if this doesn't work:
> ________________________________________________________________________
>
> ##NAME: LDAP_BINDDN:0
> #
> # You may or may not need to specify the following. Because you've got
> # a password here, authldaprc should not be world-readable!!!
>
> LDAP_BINDDN cn=admin,dc=billy,dc=demon,dc=nl
> LDAP_BINDPW adminpassword
> _________________________________________________________________________
>
> admin is my proxy user (f.ex. the one I use for rootbinddn in
> /etc/ldap.conf, with password in ldap.secret) and has read/write
> permission for the whole DIT, where mortal users do not.
>
> Perms on authldaprc are 600, owner root:root.
>
> --Tonni
>
> --
> mail: billy - at - billy.demon.nl
> http://www.billy.demon.nl
>