Re: Courier IMAP authldap with OpenLDAP

[Germán Gutierrez]

Thedore Knab escribio:
 I was wondering if anyone is success fully running openldap from the
 debian packages with Courier IMAP's LDAP module for authentication.

I'm currently using it in my test box.

(..)
 I am using the woody packages for Courier IMAP and Open-LDAP.

 ii  courier-authda 0.37.3-1   Courier Mail Server authentication ii
  courier-base   0.37.3-1   Courier Mail Server Base System
 ii  courier-debug  0.37.3-1   Debugging Tools for Courier Mail ii
 courier-doc0.37.3-1   Documentation for the Courier Mail ii
 courier-imap   1.4.3-1IMAP daemon with PAM and Maildir ii
 courier-ldap   0.37.3-1   LDAP support for Courier Mail Server ii
 maildrop   1.3.7-2mail delivery agent with filtering

I'm using woody and sid for the testing (there are two boxes, in fact, one
at work, and the other one at home).

(..)
 I noticed something in the authldaprc file about openldap having
 memory leaks. Does anyone have any info on this ?
It looks like ITS #1116 is closed.
(..)
 # OpenLDAP that affect this option, see ITS #1116 in openldap.org's bug
 # tracker.  Avoid using this option until these leaks are plugged. #
 # LDAP_AUTHBIND 1
I'm using this option
(..)
 LDAP_GLOB_UID   vmail
 LDAP_GLOB_GID   vmail

Does $HOME/Maildir belong to this UID/GID?
(..)
 My ldap info follows the example in the /usr/doc/courier-ldap package

 dn: [EMAIL PROTECTED],ou=mailaccounts,dc=washcoll,dc=edu
 objectclass: couriermailaccount
 mail: [EMAIL PROTECTED]
 mail: useradmin2
 cn: mail user admin
 uidNumber: 1001
 gidNumber: 1001
 homedirectory: /home/staff/useradmin2
 quota: 10M
 clearpassword: useradmin2
 description: courier user admin no shell account

Why are you using uidNumber/gidNumber attributes? In that case
you should use LDAP_UID and LDAP_GID instead of the globals

(..)

You should try some sniffing to see the ldap auth working. I
use it to make my debugging. (ethereal rulez   x))

-- 
Saludos,
  Germán



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Courier IMAP authldap with OpenLDAP

[Thedore Knab]

Thanks for your reply. :-)

It appears that courier needs to have 2 enteries for Maldir.

LDAP_MAILDIR homeDirectory
LDAP_HOMEDIR homeDirectory

 Why are you using uidNumber/gidNumber attributes? In that case
 you should use LDAP_UID and LDAP_GID instead of the globals

I thought I needed them. I will try and take them out.


-
I feel naked outside of Vim.
-
Ted Knab


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Courier IMAP authldap with OpenLDAP

[Germán Gutierrez]

Thedore Knab escribio:
 Thanks for your reply. :-)

 It appears that courier needs to have 2 enteries for Maldir.

 LDAP_MAILDIR homeDirectory
 LDAP_HOMEDIR homeDirectory

Not exactly, if you omit the LDAP_MAILDIR attr, authdaemon will assume
$HOME/Maildir.


 Why are you using uidNumber/gidNumber attributes? In that case
 you should use LDAP_UID and LDAP_GID instead of the globals

 I thought I needed them. I will try and take them out.


 -
 I feel naked outside of Vim.
 -
Me too;)

-- 
Saludos,
  Germán



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Courier IMAP authldap with OpenLDAP

[Thedore Knab]

I was wondering if anyone is success fully running openldap from the debian
packages with Courier IMAP's LDAP module for authentication.

I am getting strange timeouts on a remote client which is preventing successful
authentication.

I have tested logins with both Netscape and Mulberry.

Mulberry gives me a timeout on successful authentication. It gives me
an authentication error with the wrong password.

Same with Netscape.


I don't know how to get around this.

   remote client 
|
[IMAP server]---auth[LDAP Server]

I am using the woody packages for Courier IMAP and Open-LDAP.

ii  courier-authda 0.37.3-1   Courier Mail Server authentication
ii  courier-base   0.37.3-1   Courier Mail Server Base System
ii  courier-debug  0.37.3-1   Debugging Tools for Courier Mail
ii  courier-doc0.37.3-1   Documentation for the Courier Mail
ii  courier-imap   1.4.3-1IMAP daemon with PAM and Maildir
ii  courier-ldap   0.37.3-1   LDAP support for Courier Mail Server
ii  maildrop   1.3.7-2mail delivery agent with filtering

The courier debugger on the server tells me that everything is working fine.
It gets all the data it should.

imap-mail:/home/ted# courierauthtest tester1 tester1
Authenticated: module authdaemon
Home directory: /home/staff/tester1
UID/GID: 1001/1001
AUTHADDR=tester1
AUTHFULLNAME=test t. tinker

I noticed something in the authldaprc file about openldap having
memory leaks. Does anyone have any info on this ?

##VERSION: $Id: authldaprc,v 1.12 2001/11/19 01:04:17 mrsam Exp $
#
# Copyright 2000-2001 Double Precision, Inc.  See COPYING for
# distribution information.
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# authldaprc created from authldaprc.dist by sysconftool
#
# DO NOT INSTALL THIS FILE with world read permissions.  This file
# might contain the LDAP admin password!
#
# This configuration file specifies LDAP authentication parameters
#
# The format of this file must be as follows:
#
# field[spaces|tabs]value
#
# That is, the name of the field, followed by spaces or tabs, followed
# by
# field value.  No trailing spaces.
#
# Here are the fields:

##NAME: LOCATION:0
#
# Location of your LDAP server:

#LDAP_SERVERldap.example.com
LDAP_SERVER 209.243.37.9
LDAP_PORT   389

##NAME: LDAP_BASEDN:0
#
# Look for authentication here:

#LDAP_BASEDNo=example, c=com
LDAP_BASEDN ou=mailaccounts,dc=washcoll,dc=edu

##NAME: LDAP_BINDDN:0   
# You may or may not need to specify the following.  Because you've got
# a password here, authldaprc should not be world-readable!!!

#LDAP_BINDDNcn=administrator, o=example, c=com
LDAP_BINDDN cn=courier,dc=washcoll,dc=edu
LDAP_BINDPW couriersecret
#LDAP_BINDDNcn=admin,dc=washcoll,dc=edu
#LDAP_BINDPWsecret

##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search

LDAP_TIMEOUT10
LDAP_AUTHBIND   0
##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords.  If
# LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and
# password.
# If rebind succeeds, this is considered to be an authenticated request.
# This
# does not support CRAM-MD5 authentication, which requires userPassword.
#
# WARNING - as of the time this note is written, there are memory leaks
# in
# OpenLDAP that affect this option, see ITS #1116 in openldap.org's bug
# tracker.  Avoid using this option until these leaks are plugged.
#
# LDAP_AUTHBIND 1

##NAME: LDAP_MAIL:0
#
# Here's the field on which we query

LDAP_MAIL   mail

##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly
# specified.
#
# LDAP_DOMAIN   example.com
LDAP_DOMAIN washcoll.edu
##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and
# gid.
# This is convenient if your LDAP specifies a bunch of virtual mail
# accounts
# The values can be usernames or userids:
#
LDAP_GLOB_UID   vmail
LDAP_GLOB_GID   vmail

##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it

LDAP_HOMEDIRhomeDirectory

##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory.  If not specified, ./Maildir will be used

#LDAP_MAILDIR   mailDir

##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
LDAP_MAILDIRQUOTA   Quota
#LDAP_MAILDIRQUOTA  maildirQuota


##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name

LDAP_FULLNAME   cn

##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password.  CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS