Has ANYONE gotten cyrus to authenticate through pam_ldap to OpenLDAP
2.0.XX? I wasn't able to get it working at all until I downgraded to
OpenLDAP 1.2.11-15.
Does the Cyrus LDAP patch work with OpenLDAP 2.0.XX?
David wrote:
> Hi to everybody, I have a problem cyrus & Ldap.
>
> Ok, here is the problem:
>
> I have setuped correctly a LDAP database on a RH7.1 box (openldap-2.0.7).
> On the LDAP database I have imported /etc/passwd and /etc/group. I've
> modified /etc/pam.d/login to test if it is possible to validate against my
> ldap, and it works OK.
>
> Now, I want that my imap server (cyrus-imap) authentificates the users
> using PAM. To accomplish I have modified this line on the /etc/imap.conf
> file:
>
> /etc/imap.conf:
> sasl_pwcheck_method: pam
>
> and this one:
>
> /etc/pam.d/imap:
> #%PAM-1.0
>
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
>
> After that I try to see if it works ok:
>
> [root@ipsilon /etc]# /usr/bin/imtest -m login -a drio localhost
> C: C01 CAPABILITY
> S: * OK ipsilon Cyrus IMAP4 v2.0.12 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
> S: C01 OK Completed
> Password:
> C: L01 LOGIN drio {5}
> + go ahead
> C: <omitted>
> L01 NO Login failed: authentication failure
> Authentication failed. generic failure
> Security strength factor: 0
>
> This is the log output:
>
> Jul 12 14:07:37 ipsilon imap(pam_unix)[3365]: authentication failure;
> logname= uid=76 euid=76 tty= ruser= rhost= user=drio
>
> Then I try to make the authentification using LDAP, so I comment the
> other two lines and add on /etc/pam.d/imap file this ones:
>
> auth sufficient /lib/security/pam_ldap.so
> account sufficient /lib/security/pam_ldap.so
>
> Now I tried again:
>
> [root@ipsilon /etc]# /usr/bin/imtest -m login -a drio localhost
> C: C01 CAPABILITY
> S: * OK ipsilon Cyrus IMAP4 v2.0.12 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
> S: C01 OK Completed
> Password:
> C: L01 LOGIN drio {4}
> + go ahead
> C: <omitted>
> failure: prot layer failure
>
> This is the log output:
>
> Jul 12 14:16:55 ipsilon imapd[4219]: pam_ldap: error trying to bind as
> user "uid=drio,ou=People,o=pruebas" (Invalid credentials)
>
> By the way, It is more important for my validate the users using ldap
> because I will do it in this way on the future.
>
> I hope you'll will be able to tell what's the hell is going on here....
>
> One thing more, a curious thing:
>
> #######################################################################
> ### /var/log/slapd.log: trace of a ldap query from the pam_ldap.so linked
> ### in the login binary.
> ########################################################################
> Jul 12 16:42:47 ipsilon slapd[4865]: daemon: conn=29 fd=7 connection from
> IP=192.168.1.40:33600 (IP=0.0.0.0:389) accepted.
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=0 BIND dn="" method=128
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=0 RESULT tag=97 err=0
> text=
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=1 SRCH base="o=pruebas"
> scope=2 filter="(uid=drio)"
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=1 SEARCH RESULT tag=101
> err=0 text=
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=2 BIND
> dn="UID=DRIO,OU=PEOPLE,O=PRUEBAS"
> method=128
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=2 RESULT tag=97 err=0
> text=
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=3 BIND dn="" method=128
> Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=3 RESULT tag=97 err=0
> text=
> Jul 12 16:42:58 ipsilon slapd[4865]: conn=29 op=4 UNBIND
> Jul 12 16:42:58 ipsilon slapd[4865]: conn=-1 fd=7 closed
>
>
> #######################################################################
> ### /var/log/slapd.log: trace of a ldap query from the pam_ldap.so linked
> ### in the imapd binary.
> ########################################################################
> Jul 12 16:43:56 ipsilon slapd[4865]: daemon: conn=30 fd=7 connection from
> IP=192.168.1.40:33610 (IP=0.0.0.0:389) accepted.
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=0 BIND dn="" method=128
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=0 RESULT tag=97 err=0
> text=
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=1 SRCH base="o=pruebas"
> scope=2 filter="(uid=drio)"
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=1 SEARCH RESULT tag=101
> err=0 text=
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=2 BIND
> dn="UID=DRIO,OU=PEOPLE,O=PRUEBAS"
> method=128
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=2 RESULT tag=97 err=0
> text=
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=3 BIND dn="" method=128
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=3 RESULT tag=97 err=0
> text=
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=4 UNBIND
> Jul 12 16:43:56 ipsilon slapd[4865]: conn=-1 fd=7 closed
>
> it seems ok? the query is the same.
>
> Thank you in advance.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
Jules Agee
System Administrator
Pacific Coast Feather Co.
[EMAIL PROTECTED] x284
