[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Courier-IMAP -> OpenLDAP authentication problems

To: <adam+oldap@p3mammoth.com>
Subject: RE: Courier-IMAP -> OpenLDAP authentication problems
From: "Russell Premont" <rpremont@intellistar.net>
Date: Mon, 19 May 2003 10:42:57 -0400
Cc: "openldap-software@OpenLDAP. org" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <p05200f03baee34048f3d@[10.2.2.13]>

Courier uses version 2. Try adding allow bind_v2 to your slapd.conf and see
if that works. You did note that as being set in your slapd.conf.

Hope this helps. If it does post back so others can see the solution.

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
adam+oldap@p3mammoth.com
Sent: Monday, May 19, 2003 3:11 AM
To: openldap-software@OpenLDAP.org
Subject: Courier-IMAP -> OpenLDAP authentication problems


I've installed openldap-2.0.27-8, courier-imap-1.7.3-1.9
  and courier-imap-ldap-1.7.3-1.9 on RedHat 9.

First I configured slapd.conf.  I've successfully got my system
authenticated (with PAM) through my LDAP server.  However, when I
tried to get Courier-imap to auth through the server, nothing I did
seems to work.

Before reading further, let me tell you what is happening.  I start
slapd as below so I can watch whats happening.

slapd -d 1 -h "ldap:// ldaps://"

When I start courier-imap (service courier-imap start) I can see it
talking to the ldap server.  I can see it binding too.

====> cache_return_entry_r( 2 ): created (0)
do_bind: v3 bind: "cn=Manager,dc=Kittredge,dc=com" to
"cn=Manager,dc=Kittredge,dc=com"

I've configured pine (same machine) for a user who I've already
confirmed can log in to the machine via ldap authentication.  When I
run pine, I get the self-signed cert warning (which is fine), and I
see more activity in the slapd trace, though it doesn't seem to find
the user (my interpretation).  My theory is that authldap is not
sending the proper information to retrieve the correct record.  All I
can make out is it binding again Another problem I have is really
confirming that courier is really totally using my authldaprc.  Even
when I added 'LDAP_FILTER (objectClass=posixAccount)', there is no
indication in the slapd trace that it is trying to use that filter.
Is it possible that it is using my /etc/openldap/ldap.conf or some
other file?

I'm not exactly sure what LDAP_MAIL should be set to.  The default is
mail, and I do have that attribute set in the users ldap record.  I'm
not sure if LDAP_MAIL is what is used for the ldap search or not.
I've also tried uid as the value.


Here's some pertinent info.

==>/usr/lib/courier-imap/etc/imapd

AUTHMODULES="authdaemon"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN"
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAPDSTART=YES


==>/usr/lib/courier-imap/etc/authdaemondrc

authmodulelist="authldap"

==>/usr/lib/courier-imap/etc/authldaprc
LDAP_SERVER             kittredge.cnation.com
LDAP_PORT               389

LDAP_BASEDN             dc=Kittredge, c=com
LDAP_BINDDN             cn=Manager,dc=Kittredge, c=com
LDAP_BINDPW             secret
LDAP_MAIL               mail
LDAP_DOMAIN             kittredge.com
LDAP_HOMEDIR            homeDirectory
LDAP_MAILDIR            mailDir
LDAP_DEFAULTDELIVERY    defaultDelivery
LDAP_FULLNAME           cn
#LDAP_CLEARPW           clearPassword
LDAP_CRYPTPW            userPassword
LDAP_UID                uidNumber
LDAP_GID                gidNumber
LDAP_TLS                1


==>/etc/openldap/slapd.conf
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
database        ldbm
suffix          "dc=Kittredge,dc=com"
suffix          "o=Kittredge Sports,c=US"
rootdn          "cn=Manager,dc=Kittredge,dc=com"
rootpw          secret

==>/etc/openldap/ldap.conf
HOST kittredge.cnation.com
BASE dc=Kittredge,dc=com
binddn cn=Manager,dc=Kittredge,dc=com
bindpw secret
port 636
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_crypt local
ssl yes

Keep in mind I've verified the ldap server is working and responding
by getting server authentication working through ldap as well as
doing ldapsearches from other machines (via ldaps) successful.

The traces are quite long, so I've saved them to a file and posted
them to my website if your interested.  The first one is what is spit
out by slapd right after I start courier-imap.  The second one is
what is spit out by slapd right after I run pine as a valid user on
the same machine as pine displays the self-signed certificate warning.

http://adam.ninth.org/starttrace.txt
http://adam.ninth.org/logintrace.txt

I've been banging my head against this for over 8 hours, I'd really
appreciate any help I can get.

Thanks,
Adam
http://adam.ninth.org

References:
- Courier-IMAP -> OpenLDAP authentication problems
  - From: adam+oldap@p3mammoth.com

Prev by Date: Re: Bind Probs, slappaswd vs. LDAPAdmin Password value
Next by Date: Re: Bind Probs, slappaswd vs. LDAPAdmin Password value
Index(es):
- Chronological
- Thread