[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Courier-IMAP -> OpenLDAP authentication problems

To: ken@e-sorensen.com, "Russell Premont" <rpremont@intellistar.net>
Subject: Re: Courier-IMAP -> OpenLDAP authentication problems
From: adam+oldap@p3mammoth.com
Date: Mon, 19 May 2003 11:24:48 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <p05200f05baeecad6e875@[10.2.2.13]>
References: <p05200f03baee34048f3d@[10.2.2.13]> <3EC8E075.D83622@e-sorensen.com> <p05200f05baeecad6e875@[10.2.2.13]>

I've got one more piece of info. I did some searching for why it would be looking for imappublic and imappshared. It seems that pine does that automatically, which would explain why when I loaded pine I saw activity in slapd (as it was looking for shared folders), but did not see activity when I telnetted in. So I'm not even sure its trying to authenticate through ldap at all.

Oh and I appreciate all the help I've gotten so far. I've got a good feeling about this :) If I get this working, I will definitely write a HOWTO on this.

Thanks,
Adam

At 11:14 AM -0700 5/19/03, adam+oldap@p3mammoth.com wrote:

I think I'm narrowing it down. I think it IS using PAM instead of authldap. I don't think it will work with PAM (I think I even read that somewhere). I think I want it to use authldap, but can't figure out why its defaulting to PAM.

Also, once I enabled debugging of 256 (thanks) I can see this...

conn=7 op=1 SRCH base="dc=Kittredge,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=imappublic))"

I don't know where its getting uid=imappublic. Its not in any file in my /etc/courier-imap/.

I did use maildirmake to make sure there was a proper set of Maildir folders in that users home directory. In any of my attempts, it has not complained about the maildir folder not being there.

Also, I tried adding 'allow bind_v2', to my slapd.conf, but its not a valid statement. I guess bind_v2 is not a <feature> it accepts. However, for some reason, disallow bind_v2 is, though that's not what we want :)

So it might be that its not working because the search filter is wrong (uid=imappublic). Though that may be it looking for public folders and may have nothing to do with it not working. It may not be working because its trying to use PAM instead of authldap.

I can still try downgrading my openldap to 2, but I think you were right when you said its not openldap, its courier.

Oh, and when I tried telneting in to localhost 143, the slapd trace showed NO activity. I found this particularly interesting. Here's the transcript of the telnet.

[adam@kittredge adam]$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN STARTTLS] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information. 1 LOGIN "adam" "secret" 1 NO Login failed.

I'd like to think we're getting closer :)  Any other suggestions?

Thanks,
Adam

At 6:47 AM -0700 5/19/03, Ken Sorensen wrote:

adam+oldap@p3mammoth.com wrote:


 I've installed openldap-2.0.27-8, courier-imap-1.7.3-1.9
   and courier-imap-ldap-1.7.3-1.9 on RedHat 9.

 First I configured slapd.conf.  I've successfully got my system
 authenticated (with PAM) through my LDAP server.  However, when I
 tried to get Courier-imap to auth through the server, nothing I did
 seems to work.

 Before reading further, let me tell you what is happening.  I start
 slapd as below so I can watch whats happening.

 slapd -d 1 -h "ldap:// ldaps://"

 When I start courier-imap (service courier-imap start) I can see it
 talking to the ldap server.  I can see it binding too.

 ====> cache_return_entry_r( 2 ): created (0)
 do_bind: v3 bind: "cn=Manager,dc=Kittredge,dc=com" to
 "cn=Manager,dc=Kittredge,dc=com"

 I've configured pine (same machine) for a user who I've already
 confirmed can log in to the machine via ldap authentication.  When I
 run pine, I get the self-signed cert warning (which is fine), and I
 see more activity in the slapd trace, though it doesn't seem to find
 the user (my interpretation).  My theory is that authldap is not
 sending the proper information to retrieve the correct record.  All I
 can make out is it binding again Another problem I have is really
 confirming that courier is really totally using my authldaprc.  Even
 when I added 'LDAP_FILTER (objectClass=posixAccount)', there is no
 indication in the slapd trace that it is trying to use that filter.
 Is it possible that it is using my /etc/openldap/ldap.conf or some
 other file?

 I'm not exactly sure what LDAP_MAIL should be set to.  The default is
 mail, and I do have that attribute set in the users ldap record.  I'm
 not sure if LDAP_MAIL is what is used for the ldap search or not.
 I've also tried uid as the value.

 Here's some pertinent info.

==>/usr/lib/courier-imap/etc/imapd

>

 AUTHMODULES="authdaemon"
 IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
 THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN"
 IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
 IMAPDSTART=YES

 ==>/usr/lib/courier-imap/etc/authdaemondrc

 authmodulelist="authldap"

 ==>/usr/lib/courier-imap/etc/authldaprc
 LDAP_SERVER             kittredge.cnation.com
 LDAP_PORT               389

 LDAP_BASEDN             dc=Kittredge, c=com
 LDAP_BINDDN             cn=Manager,dc=Kittredge, c=com
 LDAP_BINDPW             secret
 LDAP_MAIL               mail
 LDAP_DOMAIN             kittredge.com
 LDAP_HOMEDIR            homeDirectory
 LDAP_MAILDIR            mailDir
 LDAP_DEFAULTDELIVERY    defaultDelivery
 LDAP_FULLNAME           cn
 #LDAP_CLEARPW           clearPassword
 LDAP_CRYPTPW            userPassword
 LDAP_UID                uidNumber
 LDAP_GID                gidNumber
 LDAP_TLS                1

 ==>/etc/openldap/slapd.conf
 TLSVerifyClient never
 TLSCipherSuite HIGH:MEDIUM:+SSLv2
 TLSCertificateFile /usr/share/ssl/certs/slapd.pem
 TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
 TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
 database        ldbm
 suffix          "dc=Kittredge,dc=com"
 suffix          "o=Kittredge Sports,c=US"
 rootdn          "cn=Manager,dc=Kittredge,dc=com"
 rootpw          secret

 ==>/etc/openldap/ldap.conf
 HOST kittredge.cnation.com
 BASE dc=Kittredge,dc=com
 binddn cn=Manager,dc=Kittredge,dc=com
 bindpw secret
 port 636
 pam_filter objectclass=posixAccount
 pam_login_attribute uid
 pam_member_attribute memberuid
 pam_crypt local
 ssl yes

 Keep in mind I've verified the ldap server is working and responding
 by getting server authentication working through ldap as well as
 doing ldapsearches from other machines (via ldaps) successful.

>

 The traces are quite long, so I've saved them to a file and posted
 them to my website if your interested.  The first one is what is spit
 out by slapd right after I start courier-imap.  The second one is
 what is spit out by slapd right after I run pine as a valid user on
 the same machine as pine displays the self-signed certificate warning.

 http://adam.ninth.org/starttrace.txt
 http://adam.ninth.org/logintrace.txt

 I've been banging my head against this for over 8 hours, I'd really
 appreciate any help I can get.

 Thanks,
 Adam
 http://adam.ninth.org


Hi Adam,
    I feel your pain <grin>. I am in the process of testing this new
setup for my production email system (Sendmail/Courier-IMAP/LDAP). It
was a handful. The hardest part was ruling out which process is
operating
correctly and which is mis/unconfigured. In regards to your situation,
the clue is that PAM-LDAP is authenticating. Also the Courier-IMAP
daemon
seems to bind to LDAP. I'm not sure LDAP is the problem. Courier-IMAP
uses
the Maildir format (Mail directories instead of the single file mbox
format)
for the users email. If that directory structure is unavailable, the
IMAP/POP3 connection will shutdown immediately while trying to
authenticate.
There is an utility for creating user Maildir's called
'/usr/bin/maildirmake'.
I would also use telnet to the IMAP/POP3 servers to test the connection
rather
than Pine. POP3 commands are easier to test from a terminal session.
Also,
I think OpenLDAP debug level 256 (connections/operations/results) will
give
you a nice search base to use in ldapsearch to test your LDAP
authentication
queries. I also found OpenLDAP 2.17+ much tighter than the OpenLDAP 2.0x
rpm
packages. Good luck!

Hope this helps,
Ken

BTW: This is what I mean by telnet to the Courier POP3 daemon (replace
localhost
with your domainname if needed). You should be able to test/retrieve
your email
this way.

telnet localhost 110 [Client]
+OK [Server]
USER login [C]
+OK ..[S]
PASS yourpasswd [C}
+OK ...[S}
LIST [C]
...
QUIT [C]


--
_________________________________
Ken Sorensen <ken@e-sorensen.com>

References:
- Courier-IMAP -> OpenLDAP authentication problems
  - From: adam+oldap@p3mammoth.com
- Re: Courier-IMAP -> OpenLDAP authentication problems
  - From: adam+oldap@p3mammoth.com

Prev by Date: Re: matching leading space in uid lookup
Next by Date: Re: attributetype 'date' syntax
Index(es):
- Chronological
- Thread