I'm setting up a qmail-ldap using qmail-ldap-1.03-20030501.patch.gz
and working out the qmail/ldap interactions. It seems to work fine if
I have /var/qmail/control/ldaprebind set to 0, but fail if set to 1.
First, with ldaprebind set to 1, I test it with:
# /var/qmail/bin/qmail-ldaplookup -u cshenton -p cshenton
init_ldap: passwords are not compared via rebind
localdelivery: off
clustering: off
ldapobjectclass: qmailUser
homedirmaker: /usr/local/bin/ql-dirmaker
defaultDotMode: ldapwithprog
defaultQuota: 100000000S,10000C
QuotaWarning:
------
[quotawarning]
You are close to your quota.
------
qldap_lookup: searching with (&(objectclass=qmailUser)(uid=cshenton))
qldap_lookup: succeeded, found:
uid: cshenton
qmailUID: 65025
qmailGID: 65025
accountStatus: undefined
mailMessageStore: /usr/local/maildirs/cshenton
homeDirectory: (null pointer)
mailHost: (null pointer)
mail: [EMAIL PROTECTED]
mailAlternateAddress: [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
mailQuotaSize: no entry in the database
mailQuotaCount: no entry in the database
mailQuota: no entry in the database
mailForwardingAddress: no entry in the database
deliveryProgramPath: no entry in the database
qmailDotMode: no entry in the database
deliveryMode: no entry in the database
mailReplyText: no entry in the database
mailSizeMax: no entry in the database
userPassword: {SHA}fpZ8ao8TwKbSyQc1JJjjI94ZAFc=
qldap_lookup: password compare was successful
Then I set ldaprebind to 0 and repeat:
# /var/qmail/bin/qmail-ldaplookup -d 1023 -u cshenton -p cshenton
init_ldap: passwords are compared via rebind
localdelivery: off
clustering: off
ldapobjectclass: qmailUser
homedirmaker: /usr/local/bin/ql-dirmaker
defaultDotMode: ldapwithprog
defaultQuota: 100000000S,10000C
QuotaWarning:
------
[quotawarning]
You are close to your quota.
------
qldap_lookup: searching with (&(objectclass=qmailUser)(uid=cshenton))
qldap_lookup: NOT successful: rebinding to ldap server failed
localdelivery off, so no local lookup
Excerpts from the logs are below, with timestamps removed for clarity.
It first binds as cn=qmail,... then finds my entry for cn=cshenton,
then tries to bind as that. But if I'm reading the logs right, it
fails to match "self" in the access control lists:
do_bind: version=3 dn="cn=qmail,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US" method=128
...
=> access_allowed: auth access granted by auth (=x)
====> cache_return_entry_r( 6 ): returned (0)
do_bind: v3 bind: "cn=qmail,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US" to "cn=qmail, ou=Headquarters, o=National Aeronautics and Space
Administration, c=US"
...
====> cache_find_entry_id( 8 ) "cn=Chris Shenton-1,ou=Headquarters,o=National
Aeronautics and Space Administration,c=US" (found) (1 tries)
...
=> access_allowed: read access granted by read (=rscx)
do_bind: version=3 dn="cn=Chris Shenton-1,ou=Headquarters,o=National Aeronautics and
Space Administration,c=US" method=128
dn2entry_r: dn: "CN=CHRIS SHENTON-1,OU=HEADQUARTERS,O=NATIONAL AERONAUTICS AND SPACE
ADMINISTRATION,C=US"
=> dn2id( "CN=CHRIS SHENTON-1,OU=HEADQUARTERS,O=NATIONAL AERONAUTICS AND SPACE
ADMINISTRATION,C=US" )
====> cache_find_entry_dn2id("CN=CHRIS SHENTON-1,OU=HEADQUARTERS,O=NATIONAL
AERONAUTICS AND SPACE ADMINISTRATION,C=US"): 8 (1 tries)
<= dn2id 8 (in cache)
=> id2entry_r( 8 )
====> cache_find_entry_id( 8 ) "cn=Chris Shenton-1,ou=Headquarters,o=National
Aeronautics and Space Administration,c=US" (found) (1 tries)
<= id2entry_r( 8 ) 0x816f020 (cache)
=> access_allowed: auth access to "cn=Chris Shenton-1,ou=Headquarters,o=National
Aeronautics and Space Administration,c=US" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl cn=Chris Shenton-1,ou=Headquarters,o=National Aeronautics and
Space Administration,c=US attr: userPassword
=> acl_mask: access to entry "cn=Chris Shenton-1,ou=Headquarters,o=National
Aeronautics and Space Administration,c=US", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: cn=Manager,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US
=> string_expand: pattern: cn=Manager,ou=Headquarters,o=National Aeronautics and
Space Administration,c=US
=> string_expand: expanded: cn=Manager,ou=Headquarters,o=National Aeronautics and
Space Administration,c=US
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: cn=qmail,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US
=> string_expand: pattern: cn=qmail,ou=Headquarters,o=National Aeronautics and
Space Administration,c=US
=> string_expand: expanded: cn=qmail,ou=Headquarters,o=National Aeronautics and
Space Administration,c=US
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: self
<= check a_dn_pat: *
<= acl_mask: [4] applying auth (=x) (stop)
<= acl_mask: [4] mask: auth (=x)
=> access_allowed: auth access granted by auth (=x)
send_ldap_result: conn=1 op=2 p=3
send_ldap_response: msgid=3 tag=97 err=49
====> cache_return_entry_r( 8 ): returned (0)
Here's the DB and ACL portion of my slapd.conf:
database ldbm
suffix "ou=Headquarters,o=National Aeronautics and Space
Administration,c=US"
rootdn "cn=Manager,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US"
rootpw secret
directory /var/db/openldap-ldbm
index objectclass,mail,mailAlternateAddress,uid eq
access to attrs=userPassword
by dn="cn=Manager,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US" write
by dn="cn=qmail,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US" read
by self write
by * auth
access to *
by dn="cn=Manager,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US" write
by dn="cn=qmail,ou=Headquarters,o=National Aeronautics and Space
Administration,c=US" read
by self read
by anonymous read
I've checked the OpenLDAP Admin Guide for version 2.0 (I'm running
2.0.77 presently) and can't see any obvious syntax problems.
Any pointers or suggestions?
Many thanks.
