[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Courier-IMAP -> OpenLDAP authentication problems
I've installed openldap-2.0.27-8, courier-imap-1.7.3-1.9
and courier-imap-ldap-1.7.3-1.9 on RedHat 9.
First I configured slapd.conf. I've successfully got my system
authenticated (with PAM) through my LDAP server. However, when I
tried to get Courier-imap to auth through the server, nothing I did
seems to work.
Before reading further, let me tell you what is happening. I start
slapd as below so I can watch whats happening.
slapd -d 1 -h "ldap:// ldaps://"
When I start courier-imap (service courier-imap start) I can see it
talking to the ldap server. I can see it binding too.
====> cache_return_entry_r( 2 ): created (0)
do_bind: v3 bind: "cn=Manager,dc=Kittredge,dc=com" to
"cn=Manager,dc=Kittredge,dc=com"
I've configured pine (same machine) for a user who I've already
confirmed can log in to the machine via ldap authentication. When I
run pine, I get the self-signed cert warning (which is fine), and I
see more activity in the slapd trace, though it doesn't seem to find
the user (my interpretation). My theory is that authldap is not
sending the proper information to retrieve the correct record. All I
can make out is it binding again Another problem I have is really
confirming that courier is really totally using my authldaprc. Even
when I added 'LDAP_FILTER (objectClass=posixAccount)', there is no
indication in the slapd trace that it is trying to use that filter.
Is it possible that it is using my /etc/openldap/ldap.conf or some
other file?
I'm not exactly sure what LDAP_MAIL should be set to. The default is
mail, and I do have that attribute set in the users ldap record. I'm
not sure if LDAP_MAIL is what is used for the ldap search or not.
I've also tried uid as the value.
Here's some pertinent info.
==>/usr/lib/courier-imap/etc/imapd
AUTHMODULES="authdaemon"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN"
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAPDSTART=YES
==>/usr/lib/courier-imap/etc/authdaemondrc
authmodulelist="authldap"
==>/usr/lib/courier-imap/etc/authldaprc
LDAP_SERVER kittredge.cnation.com
LDAP_PORT 389
LDAP_BASEDN dc=Kittredge, c=com
LDAP_BINDDN cn=Manager,dc=Kittredge, c=com
LDAP_BINDPW secret
LDAP_MAIL mail
LDAP_DOMAIN kittredge.com
LDAP_HOMEDIR homeDirectory
LDAP_MAILDIR mailDir
LDAP_DEFAULTDELIVERY defaultDelivery
LDAP_FULLNAME cn
#LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword
LDAP_UID uidNumber
LDAP_GID gidNumber
LDAP_TLS 1
==>/etc/openldap/slapd.conf
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
database ldbm
suffix "dc=Kittredge,dc=com"
suffix "o=Kittredge Sports,c=US"
rootdn "cn=Manager,dc=Kittredge,dc=com"
rootpw secret
==>/etc/openldap/ldap.conf
HOST kittredge.cnation.com
BASE dc=Kittredge,dc=com
binddn cn=Manager,dc=Kittredge,dc=com
bindpw secret
port 636
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_crypt local
ssl yes
Keep in mind I've verified the ldap server is working and responding
by getting server authentication working through ldap as well as
doing ldapsearches from other machines (via ldaps) successful.
The traces are quite long, so I've saved them to a file and posted
them to my website if your interested. The first one is what is spit
out by slapd right after I start courier-imap. The second one is
what is spit out by slapd right after I run pine as a valid user on
the same machine as pine displays the self-signed certificate warning.
http://adam.ninth.org/starttrace.txt
http://adam.ninth.org/logintrace.txt
I've been banging my head against this for over 8 hours, I'd really
appreciate any help I can get.
Thanks,
Adam
http://adam.ninth.org