The following may be relevant to your problems!
================================================================
Subject: Re: SIGSEGV in combination with pam_ldap->OpenLDAP v2.0.x
Date: Sat, 24 Feb 2001 10:25:59 -0800
From: "Kurt D. Zeilenga" <[EMAIL PROTECTED]>
To: Carsten Hoeger <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
If you intend to use Cyrus SASL with PAM with OpenLDAP,
build OpenLDAP --without-cyrus-sasl to avoid library
reentry issues.
=================================================================
Joshua Penix wrote:
>
> I'm having trouble getting Cyrus-IMAP to authenticate against an OpenLDAP
> server using PAM modules. I seem to be able to get Cyrus/SASL to work with
> PAM when it's authenticating against /etc/passwd, but as soon as I point it
> at LDAP it refuses to work.
>
> Of course, it's hard to know where to post for help when you have so many
> pieces working together. Since I think I limited it down to the PAM -> LDAP
> connection, I sent a large "help me!" message to the padl.com mailing list
> for nss_ldap/pam_ldap modules. But I believe a number of people on this
> list have my intended configuration up and running, so I'm going to re-post
> my "help me!" message below in hope that someone from this list can shed
> some light on my troubles. If you don't know what I'm talking about, then
> just delete me and move along :^)
>
> --Josh
>
> [Below is full description of problem, along with logs]
> -------------------------------------------------------
>
> I'm working on getting a new installation of the Cyrus IMAP server (2.0.9)
> authenticating against an OpenLDAP (2.0.7) server. As expected, SASL
> (1.5.24), PAM (0.74) and the nss_ldap/pam_ldap modules sit inbetween these
> two.
>
> I believe I've chased the problem down to something between PAM and LDAP....
> Cyrus works just fine through SASL and PAM when PAM is pointed to my
> /etc/passwd file. But as soon as I tell PAM to reference LDAP, it starts
> choking...
>
> I understand the need for plain/cleartext passwords throughout the system,
> and believe I have everything compiled and set up to talk that way as
> evidenced by the working Cyrus->SASL->PAM->/etc/passwd route.
>
> But as soon as I change my /etc/pam.d/imap file to look like the following:
>
> -----
> #%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so try_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
> -----
>
> My Cyrus 'imtest -m login -u jpenix -a jpenix localhost' session goes like
> this:
>
> -----
> C: C01 CAPABILITY
> S: * OK celery.projectdesign.com Cyrus IMAP4 v2.0.9 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
> S: C01 OK Completed
> Password:
> C: L01 LOGIN jpenix {8}
> + go ahead
> C: <omitted>
> failure: prot layer failure
> -----
>
> The /var/log/ldap.log from the above session:
>
> -----
> Feb 26 02:04:29 celery slapd[29687]: daemon: conn=22 fd=18 connection from
> IP=127.0.0.1:33082 (IP=0.0.0.0:389) accepted.
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=0 BIND dn="" method=128
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=0 RESULT tag=97 err=0 text=
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=1 SRCH
> base="dc=projectdesign,dc=com" scope=2 filter="(uid=jpenix)"
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=1 SEARCH RESULT tag=101
> err=0 text=
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=2 BIND dn="CN=JOSHUA
> PENIX,DC=PROJECTDESIGN,DC=COM" method=128
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=2 RESULT tag=97 err=0 text=
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=3 BIND dn="" method=128
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=3 RESULT tag=97 err=0 text=
> Feb 26 02:04:29 celery slapd[29687]: conn=22 op=4 UNBIND
> Feb 26 02:04:29 celery slapd[29687]: conn=-1 fd=18 closed
> -----
>
> And *no* mention of it in /var/log/messages where I'd expect to see PAM
> messages, and *no* mention of it in /var/log/imapd.log where I'd expect to
> see Cyrus complaining.
>
> Interestingly, the above only happens when I type the password CORRECTLY.
> Here's an 'imtest -m login -u jpenix -a jpenix localhost' where I purposely
> type the password incorrectly:
>
> -----
> C: C01 CAPABILITY
> S: * OK celery.projectdesign.com Cyrus IMAP4 v2.0.9 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
> S: C01 OK Completed
> Password:
> C: L01 LOGIN jpenix {4}
> + go ahead
> C: <omitted>
> L01 NO Login failed: authentication failure
> Authentication failed. generic failure
> Security strength factor: 0
> -----
>
> And here's the /var/log/ldap.log from the session with incorrect password:
>
> -----
> Feb 26 02:07:47 celery slapd[29687]: daemon: conn=23 fd=18 connection from
> IP=127.0.0.1:33084 (IP=0.0.0.0:389) accepted.
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=0 BIND dn="" method=128
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=0 RESULT tag=97 err=0 text=
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=1 SRCH
> base="dc=projectdesign,dc=com" scope=2 filter="(uid=jpenix)"
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=1 SEARCH RESULT tag=101
> err=0 text=
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=2 BIND dn="CN=JOSHUA
> PENIX,DC=PROJECTDESIGN,DC=COM" method=128
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=2 RESULT tag=97 err=49 text=
>
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=3 BIND dn="" method=128
> Feb 26 02:07:47 celery slapd[29687]: conn=23 op=3 RESULT tag=97 err=0 text=
> Feb 26 02:07:57 celery slapd[29687]: conn=-1 fd=18 closed
> -----
>
> And now we also get a mention in /var/log/messages:
>
> -----
> Feb 26 02:07:47 celery imapd[29810]: pam_ldap: error trying to bind as user
> "cn=Joshua Penix, dc=projectdesign,dc=com" (Invalid credentials)
> Feb 26 02:07:47 celery imap(pam_unix)[29810]: authentication failure;
> logname= uid=76 euid=76 tty= ruser= rhost= user=jpenix
> -----
>
> So it's *GOT* to be checking *SOMETHING* against my LDAP password or else
> the sessions wouldn't differ based on what I type. Perhaps I'm barking up
> the wrong tree? Maybe the problem occurs after everything is authenticated?
> The "failure: prot layer failure" message isn't very descriptive and I can't
> seem to get any more debugging info out of PAM or SASL... any suggestions on
> where to kick up some logging/error message levels would be great.
>
> Further information that might be useful:
>
> The password is stored in LDAP using the 'userPassword' attribute, and is
> formatted like '{crypt}hashedstuffhere'.
>
> My /etc/ldap.conf:
>
> -----
> host 127.0.0.1
> base dc=projectdesign,dc=com
> pam_password crypt
> ssl no
> -----
>
> My /etc/openldap/ldap.conf (not sure what purpose this file serves vs.
> /etc/ldap.conf):
>
> -----
> HOST 127.0.0.1
> BASE dc=projectdesign,dc=com
> -----
>
> My /etc/imapd.conf:
>
> -----
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: cyrus mailadmin
> allowanonymouslogin: no
> sasl_pwcheck_method: pam
> -----
>
> And that's it! I can't think of anything else... there must be something
> obvious I'm missing. Would appreciate if someone would take a look at the
> above and tell me where I'm going wrong. Or if anyone who has it working
> wants to post their configs, that'd be great... or at least let me know
> where I should be looking and how to get better debug logs out of the
> PAM/LDAP modules.
>
> Thanks much!!! I promise to write up a howto once this is working...
>
> --Josh
