Re: [Courier-imap] advanced courier ldap auth problem solved
Sam Varshavchik wrote:
> Jax writes:
>
>> Sam Varshavchik wrote:
>>> Jax writes:
>>>
Brian Candler wrote:
> On Tue, Apr 03, 2007 at 01:23:58AM +0200, Jax wrote:
>
authdaemon: starting client module
authdaemon: REJECT
authdaemon: REJECT
>>> Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc.
>>>
>>
>> Well the only problem was that DEBUG_LOGIN=2 is not uppercase but
>> lowercase. Now I see what cause the problem:
>>
>> Sep 18 06:03:18 Slider authdaemond.ldap: received auth request,
>> service=imap, authtype=login
>> Sep 18 06:03:18 Slider authdaemond.ldap: authldap: trying this module
>> Sep 18 06:03:18 Slider authdaemond.ldap: using search filter:
>> (&(objectClass=CourierMailAccount)([EMAIL PROTECTED]))
>> Sep 18 06:03:19 Slider authdaemond.ldap: one entry returned, DN:
>> cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
>> Sep 18 06:03:19 Slider authdaemond.ldap: raw ldap entry returned:
>> Sep 18 06:03:19 Slider authdaemond.ldap: | mail: [EMAIL PROTECTED]
>> Sep 18 06:03:19 Slider authdaemond.ldap: | cn: john
>> Sep 18 06:03:19 Slider authdaemond.ldap: | homeDirectory:
>> /home/users/user1
>> Sep 18 06:03:19 Slider authdaemond.ldap: | userPassword:
>> {MD5}Tlu66vyCq3qhOFvqjvXTCg==
>> Sep 18 06:03:19 Slider authdaemond.ldap: authldaplib:
>> [EMAIL PROTECTED], sysuserid=1017, sysgroupid=1017,
>> homedir=/home/users/user1, [EMAIL PROTECTED], fullname=john,
>> maildir=, quota=, options=
>> Sep 18 06:03:19 Slider authdaemond.ldap: authldaplib:
>> clearpasswd=, passwd={MD5}Tlu66vyCq3qhOFvqjvXTCg==
>> Sep 18 06:03:19 Slider authdaemond.ldap: rebinding with DN
>> 'cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan' to validate
>> password
>> Sep 18 06:03:19 Slider authdaemond.ldap: authentication bind failed,
>> invalid credentials
>> Sep 18 06:03:19 Slider authdaemond.ldap: authldap: REJECT - try next
>> module
>> Sep 18 06:03:19 Slider authdaemond.ldap: FAIL, all modules rejected
>>
>> It tries to rebind the connection using the john credential, but
>> everyone has read permission to everything atm. So do I need to give
>> any other specific privilege for someone to "log in" to ldap?! I
>> already added the posixuser attribute to it.
>
> You do not need an authenticated bind in this configuration. Remove
> LDAP_AUTHBIND.
>
>
Thank you very much. Now finally works :-)
Regards,
Jax
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem almost solved
Jax writes:
Sam Varshavchik wrote:
Jax writes:
Brian Candler wrote:
On Tue, Apr 03, 2007 at 01:23:58AM +0200, Jax wrote:
authdaemon: starting client module
authdaemon: REJECT
authdaemon: REJECT
Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc.
Well the only problem was that DEBUG_LOGIN=2 is not uppercase but
lowercase. Now I see what cause the problem:
Sep 18 06:03:18 Slider authdaemond.ldap: received auth request,
service=imap, authtype=login
Sep 18 06:03:18 Slider authdaemond.ldap: authldap: trying this module
Sep 18 06:03:18 Slider authdaemond.ldap: using search filter:
(&(objectClass=CourierMailAccount)([EMAIL PROTECTED]))
Sep 18 06:03:19 Slider authdaemond.ldap: one entry returned, DN:
cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
Sep 18 06:03:19 Slider authdaemond.ldap: raw ldap entry returned:
Sep 18 06:03:19 Slider authdaemond.ldap: | mail: [EMAIL PROTECTED]
Sep 18 06:03:19 Slider authdaemond.ldap: | cn: john
Sep 18 06:03:19 Slider authdaemond.ldap: | homeDirectory: /home/users/user1
Sep 18 06:03:19 Slider authdaemond.ldap: | userPassword:
{MD5}Tlu66vyCq3qhOFvqjvXTCg==
Sep 18 06:03:19 Slider authdaemond.ldap: authldaplib:
[EMAIL PROTECTED], sysuserid=1017, sysgroupid=1017,
homedir=/home/users/user1, [EMAIL PROTECTED], fullname=john,
maildir=, quota=, options=
Sep 18 06:03:19 Slider authdaemond.ldap: authldaplib:
clearpasswd=, passwd={MD5}Tlu66vyCq3qhOFvqjvXTCg==
Sep 18 06:03:19 Slider authdaemond.ldap: rebinding with DN
'cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan' to validate password
Sep 18 06:03:19 Slider authdaemond.ldap: authentication bind failed,
invalid credentials
Sep 18 06:03:19 Slider authdaemond.ldap: authldap: REJECT - try next module
Sep 18 06:03:19 Slider authdaemond.ldap: FAIL, all modules rejected
It tries to rebind the connection using the john credential, but
everyone has read permission to everything atm. So do I need to give any
other specific privilege for someone to "log in" to ldap?! I already
added the posixuser attribute to it.
You do not need an authenticated bind in this configuration. Remove
LDAP_AUTHBIND.
pgpJf7atFXzj5.pgp
Description: PGP signature
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem almost solved
Sam Varshavchik wrote:
> Jax writes:
>
>> Brian Candler wrote:
>>> On Tue, Apr 03, 2007 at 01:23:58AM +0200, Jax wrote:
>>>
>> authdaemon: starting client module
>> authdaemon: REJECT
>> authdaemon: REJECT
>>
> Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc.
>
Well the only problem was that DEBUG_LOGIN=2 is not uppercase but
lowercase. Now I see what cause the problem:
Sep 18 06:03:18 Slider authdaemond.ldap: received auth request,
service=imap, authtype=login
Sep 18 06:03:18 Slider authdaemond.ldap: authldap: trying this module
Sep 18 06:03:18 Slider authdaemond.ldap: using search filter:
(&(objectClass=CourierMailAccount)([EMAIL PROTECTED]))
Sep 18 06:03:19 Slider authdaemond.ldap: one entry returned, DN:
cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
Sep 18 06:03:19 Slider authdaemond.ldap: raw ldap entry returned:
Sep 18 06:03:19 Slider authdaemond.ldap: | mail: [EMAIL PROTECTED]
Sep 18 06:03:19 Slider authdaemond.ldap: | cn: john
Sep 18 06:03:19 Slider authdaemond.ldap: | homeDirectory: /home/users/user1
Sep 18 06:03:19 Slider authdaemond.ldap: | userPassword:
{MD5}Tlu66vyCq3qhOFvqjvXTCg==
Sep 18 06:03:19 Slider authdaemond.ldap: authldaplib:
[EMAIL PROTECTED], sysuserid=1017, sysgroupid=1017,
homedir=/home/users/user1, [EMAIL PROTECTED], fullname=john,
maildir=, quota=, options=
Sep 18 06:03:19 Slider authdaemond.ldap: authldaplib:
clearpasswd=, passwd={MD5}Tlu66vyCq3qhOFvqjvXTCg==
Sep 18 06:03:19 Slider authdaemond.ldap: rebinding with DN
'cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan' to validate password
Sep 18 06:03:19 Slider authdaemond.ldap: authentication bind failed,
invalid credentials
Sep 18 06:03:19 Slider authdaemond.ldap: authldap: REJECT - try next module
Sep 18 06:03:19 Slider authdaemond.ldap: FAIL, all modules rejected
It tries to rebind the connection using the john credential, but
everyone has read permission to everything atm. So do I need to give any
other specific privilege for someone to "log in" to ldap?! I already
added the posixuser attribute to it.
Regards,
Jax
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
> On Fri, Apr 06, 2007 at 04:50:24AM +0200, Jax wrote:
> > But at this point it gets more interesting because I installed courier
> > ldap on an other ubuntu machine (up2date in vmware) for testing and I
> > got exactly the same error which means that I must have some problem
> > with the LDAP schema so I did a dump. Here is my john user what I
> > created for test:
>
> And can you paste the complete debug output from authdaemond when this
> particular person tries to login?
Also, please show the debug output from when authdaemond starts up (which
will show which modules have been loaded)
> The userPassword decodes to {MD5}Tlu66vyCq3qhOFvqjvXTCg==
>
> which base-64 decodes to 16 bytes:
> 4e5bbaeafc82ab7aa1385bea8ef5d30a
>
> Using google as a password cracker suggests that the password is "intel"
>
> $ echo -n "intel" | md5sum
> 4e5bbaeafc82ab7aa1385bea8ef5d30a -
Which also demonstrates how insecure unsalted MD5 passwords are :-)
Regards,
Brian.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
On Fri, Apr 06, 2007 at 04:50:24AM +0200, Jax wrote:
> But at this point it gets more interesting because I installed courier
> ldap on an other ubuntu machine (up2date in vmware) for testing and I
> got exactly the same error which means that I must have some problem
> with the LDAP schema so I did a dump. Here is my john user what I
> created for test:
And can you paste the complete debug output from authdaemond when this
particular person tries to login?
> dn: cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
> uid: [EMAIL PROTECTED]
> mail: [EMAIL PROTECTED]
> sn: john
> cn: john
> uidNumber: 1005
> gidNumber: 102
> homeDirectory: /home/users/user1
> userPassword:: e01ENX1UbHU2NnZ5Q3EzcWhPRnZxanZYVENnPT0=
> objectClass: inetOrgPerson
> objectClass: CourierMailAccount
> objectClass: top
> structuralObjectClass: inetOrgPerson
> entryUUID: 393153d0-7599-102b-9e73-b993dfe12554
> creatorsName: cn=admin,dc=logonserver,dc=lan
> createTimestamp: 20070402190802Z
> entryCSN: 20070402190802Z#00#00#00
> modifiersName: cn=admin,dc=logonserver,dc=lan
> modifyTimestamp: 20070402190802Z
The userPassword decodes to {MD5}Tlu66vyCq3qhOFvqjvXTCg==
which base-64 decodes to 16 bytes:
4e5bbaeafc82ab7aa1385bea8ef5d30a
Using google as a password cracker suggests that the password is "intel"
$ echo -n "intel" | md5sum
4e5bbaeafc82ab7aa1385bea8ef5d30a -
OK.
Now, that looks reasonable to me as an MD5 hash. Are you using LDAP_AUTHBIND
1 (which means the LDAP server checks the password) or 0 (which means
courier-authdaemon does)?
Checking the courier-authlib source: a password which starts {MD5} is
checked using md5_hash_courier, which checks {MD5} followed by a
base64-encoded MD5 hash of the password, so this should be OK.
But I'm not sure what format openldap expects for {MD5} passwords.
But without the debug dump, there are all sorts of other places where LDAP
authentication could fail.
Regards,
Brian.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Jax writes:
Brian Candler wrote:
On Tue, Apr 03, 2007 at 01:23:58AM +0200, Jax wrote:
authdaemon: starting client module
authdaemon: REJECT
authdaemon: REJECT
Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc.
Does not help too much. Btw this login debugging sounds familiar from
the imapd config DEBUG_LOGIN=2 is there not in this file and I already
set it to 2.
No, logging from the imap daemon and logging from authdaemond are two
different things.
Oh sorry I didn't mean I don't trust you so I already put debug_login to
the authrc :)
You also need to restart it -- bottom line, the output you showed is _NOT_
the output you should get if you set the debug flag properly.
got exactly the same error which means that I must have some problem
with the LDAP schema so I did a dump. Here is my john user what I
created for test:
dn: cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
uid: [EMAIL PROTECTED]
mail: [EMAIL PROTECTED]
sn: john
cn: john
uidNumber: 1005
gidNumber: 102
homeDirectory: /home/users/user1
userPassword:: e01ENX1UbHU2NnZ5Q3EzcWhPRnZxanZYVENnPT0=
Couple of things:
1. Better make sure that /home/users/user1/Maildir exists, since
$HOME/Maildir is the default.
2. If I recall LDIF format correctly, the double-colon means that the
actual value stored in the LDAP record is the base64-decoded value of what
you see.
Base64-decoding that thing gives me:
{MD5}Tlu66vyCq3qhOFvqjvXTCg==
This looks reasonable, provided that in authldaprc you have LDAP_CRYPTPW
set. Now, all you have to do is take the password you think is the right
password, compute its binary MD5 hash, base64-encoded it, and see if it
matches the above.
Whether or not this is the case, you should be able to tell if you set the
debug option properly.
pgpwBwSLdTSZK.pgp
Description: PGP signature
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Brian Candler wrote: > On Tue, Apr 03, 2007 at 01:23:58AM +0200, Jax wrote: > authdaemon: starting client module authdaemon: REJECT authdaemon: REJECT >>> Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc. >>> >>> >> Does not help too much. Btw this login debugging sounds familiar from >> the imapd config DEBUG_LOGIN=2 is there not in this file and I already >> set it to 2. >> > > No, logging from the imap daemon and logging from authdaemond are two > different things. > > Oh sorry I didn't mean I don't trust you so I already put debug_login to the authrc :) But at this point it gets more interesting because I installed courier ldap on an other ubuntu machine (up2date in vmware) for testing and I got exactly the same error which means that I must have some problem with the LDAP schema so I did a dump. Here is my john user what I created for test: dn: cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan uid: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] sn: john cn: john uidNumber: 1005 gidNumber: 102 homeDirectory: /home/users/user1 userPassword:: e01ENX1UbHU2NnZ5Q3EzcWhPRnZxanZYVENnPT0= objectClass: inetOrgPerson objectClass: CourierMailAccount objectClass: top structuralObjectClass: inetOrgPerson entryUUID: 393153d0-7599-102b-9e73-b993dfe12554 creatorsName: cn=admin,dc=logonserver,dc=lan createTimestamp: 20070402190802Z entryCSN: 20070402190802Z#00#00#00 modifiersName: cn=admin,dc=logonserver,dc=lan modifyTimestamp: 20070402190802Z > See http://www.courier-mta.org/authlib/README.authdebug.html > which gives some examples of the enhanced debugging you can expect to see. > > Jax - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
On Tue, Apr 03, 2007 at 01:23:58AM +0200, Jax wrote: > >>authdaemon: starting client module > >>authdaemon: REJECT > >>authdaemon: REJECT > > > >Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc. > > > Does not help too much. Btw this login debugging sounds familiar from > the imapd config DEBUG_LOGIN=2 is there not in this file and I already > set it to 2. No, logging from the imap daemon and logging from authdaemond are two different things. See http://www.courier-mta.org/authlib/README.authdebug.html which gives some examples of the enhanced debugging you can expect to see. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Sam Varshavchik wrote:
> Jax writes:
>
>
>>> Give one example of a password, exactly as it's set in LDAP.
>>>
>>>
>> Ok so here is my new user ( password: intel )
>>
>> Create Object : cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
>> uid [EMAIL PROTECTED]
>> mail[EMAIL PROTECTED]
>> sn john
>> cn john
>> gidNumber 102
>> homeDirectory /home/users/user1
>> userPassword{MD5}Tlu66vyCq3qhOFvqjvXTCg==
>
> Haven't calculated the hash myself, but this sounds more or less right.
>
In PhpLDAPadmin there is a cool option for this so you can check the
hash easily if it's bind to a string.
>>
>> Log from the courier-imap server:
>>
>> authdaemon: starting client module
>> authdaemon: REJECT
>> authdaemon: REJECT
>
> Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc.
>
Does not help too much. Btw this login debugging sounds familiar from
the imapd config DEBUG_LOGIN=2 is there not in this file and I already
set it to 2.
imaplogin: LOGIN: DEBUG: ip=[:::192.xx], command=LOGIN
imaplogin: LOGIN: DEBUG: ip=[:::192.xx], [EMAIL PROTECTED]
imaplogin: LOGIN: DEBUG: ip=[:::192.xx], password=intel
imaplogin: authdaemon: starting client module
imaplogin: authdaemon: REJECT
Regards,
Jax
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Jax writes:
Give one example of a password, exactly as it's set in LDAP.
Ok so here is my new user ( password: intel )
Create Object : cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
uid [EMAIL PROTECTED]
mail[EMAIL PROTECTED]
sn john
cn john
gidNumber 102
homeDirectory /home/users/user1
userPassword{MD5}Tlu66vyCq3qhOFvqjvXTCg==
Haven't calculated the hash myself, but this sounds more or less right.
Log from the courier-imap server:
authdaemon: starting client module
authdaemon: REJECT
authdaemon: REJECT
Turn up debugging. Set DEBUG_LOGIN=2 in authdaemonrc.
pgpBMADSkM7sC.pgp
Description: PGP signature
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Christian Rost wrote: >> >courierauthtest [EMAIL PROTECTED] >> >> Trying authdaemon... >> Authenticated: module authdaemon >> Home directory: /home/users/user1 >> UID/GID: 1017/1017 >> [EMAIL PROTECTED] >> AUTHFULLNAME=john >> OPTIONS= >> >> But when I try with password >> >> >courierauthtest [EMAIL PROTECTED] intel >> Hi! > O.K., authdaemon connects to your LDAP-Server and courierauthtest gets > some informations for the user, but what about LDAP-ACLs? > > Do you have an ACL where you can access [userspasswd] anonymously for > auth? > Yes I told you this is not an ldap authentication error, that would be obvious. What I use in authldaprc is an unlimited administrator account for the whole DN so no way that it can't access to anything. I thought that courierldaprc use the credentials from the authldaprc file but this does not change the fact because I do parallel testing with telnet all time. > Do you use LDAP to authenticate other services? > Yes for apache2 and for cacti and other web services. > Cheers, > > Christian > Regards, Jax - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
> >courierauthtest [EMAIL PROTECTED] > > Trying authdaemon... > Authenticated: module authdaemon > Home directory: /home/users/user1 > UID/GID: 1017/1017 > [EMAIL PROTECTED] > AUTHFULLNAME=john > OPTIONS= > > But when I try with password > > >courierauthtest [EMAIL PROTECTED] intel > O.K., authdaemon connects to your LDAP-Server and courierauthtest gets some informations for the user, but what about LDAP-ACLs? Do you have an ACL where you can access [userspasswd] anonymously for auth? Do you use LDAP to authenticate other services? Cheers, Christian -- === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Sam Varshavchik wrote:
> Jax writes:
>
>> ...servers, dn pass, blah all good...
>> ...
>> LDAP_AUTHBIND 1
>> LDAP_MAIL mail
>> LDAP_FILTER
>> LDAP_GLOB_UID fv
>> LDAP_GLOB_GID fv
>
> GLOB_UID and GLOB_GID must be numeric values.
>
>> LDAP_HOMEDIR homeDirectory
>> LDAP_MAILDIR mailbox
>> LDAP_FULLNAME cn
>> LDAP_CRYPTPWuserPassword
>> LDAP_DEREF never
>> LDAP_TLS0
>>
>> I use mail for auth the users because I did it in my old userdb
>> config so it will be easier to migrate to ldap.
>> Anyone know what's the problem with this?
>> The only one problem here is the password auth, yes I tried all md5
>> crypt ssha sha clear etc..
>
> Give one example of a password, exactly as it's set in LDAP.
>
>
Ok so here is my new user ( password: intel )
Create Object : cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
uid [EMAIL PROTECTED]
mail[EMAIL PROTECTED]
sn john
cn john
gidNumber 102
homeDirectory /home/users/user1
userPassword{MD5}Tlu66vyCq3qhOFvqjvXTCg==
uidNumber (Auto evaluated on submission.)
>courierauthtest [EMAIL PROTECTED]
Trying authdaemon...
Authenticated: module authdaemon
Home directory: /home/users/user1
UID/GID: 1017/1017
[EMAIL PROTECTED]
AUTHFULLNAME=john
OPTIONS=
But when I try with password
>courierauthtest [EMAIL PROTECTED] intel
Trying authdaemon...
Authentication FAILED!
The log from the ldap server:
==> bdb_bind: dn:
cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
send_ldap_result: err=49 matched="" text=""
connection_get(20)
connection_get(20)
connection_read(20): no connection!
connection_get(20)
==> bdb_bind: dn: cn=admin,dc=logonserver,dc=lan
send_ldap_result: err=0 matched="" text=""
connection_get(20)
SRCH "ou=Courier, ou=Services, dc=logonserver, dc=lan" 2 0
0 0 0
filter: ([EMAIL PROTECTED])
attrs:
homeDirectory
mailbox
cn
userPassword
mail
bdb_idl_fetch_key: @ou=courier,ou=services,dc=logonserver,dc=lan
bdb_idl_fetch_key: [b49d1940]
<= bdb_equality_candidates: (mail) index_param failed (18)
send_ldap_result: err=0 matched="" text=""
connection_get(21)
==> bdb_bind: dn:
cn=john,ou=Courier,ou=Services,dc=logonserver,dc=lan
send_ldap_result: err=49 matched="" text=""
connection_get(21)
connection_get(21)
connection_read(21): no connection!
Log from the courier-imap server:
authdaemon: starting client module
authdaemon: REJECT
authdaemon: REJECT
When I stop the authdaemond and start the ldap auth daemon then I get
authdaemond.ldap: restarting authdaemond children
authdaemond.ldap: modules="authldap", daemons=10
but I still can't login.
Regards,
Jax
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] advanced courier ldap auth problem
Jax writes: ...servers, dn pass, blah all good... ... LDAP_AUTHBIND 1 LDAP_MAIL mail LDAP_FILTER LDAP_GLOB_UID fv LDAP_GLOB_GID fv GLOB_UID and GLOB_GID must be numeric values. LDAP_HOMEDIR homeDirectory LDAP_MAILDIR mailbox LDAP_FULLNAME cn LDAP_CRYPTPWuserPassword LDAP_DEREF never LDAP_TLS0 I use mail for auth the users because I did it in my old userdb config so it will be easier to migrate to ldap. Anyone know what's the problem with this? The only one problem here is the password auth, yes I tried all md5 crypt ssha sha clear etc.. Give one example of a password, exactly as it's set in LDAP. pgp4l4udJrqS0.pgp Description: PGP signature - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
