Here is what I have:
- Fedora Core 2
- OpenLDAP (from rpm)
- openldap-servers-2.1.29-1
- openldap-devel-2.1.29-1
- openldap-clients-2.1.29-1
- openldap-2.1.29-1
- SASL (from rpm)
- cyrus-sasl-devel-2.1.18-2
- cyrus-sasl-plain-2.1.18-2
- cyrus-sasl-2.1.18-2
- cyrus-sasl-md5-2.1.18-2
- Other Software (from rpm)
- postfix-2.0.18-4
- courier-imap-3.0.4.20040524-1.2
- squirrelmail-1.4.2-3
- nss_ldap-217-1What I am doing now:
I have postfix operating on two servers, one as local delivery, and the other in a backup MX role. The PADL tools are being used to pull accounts from my LDAP server, and present them as local accounts
# getent passwd kevin kevin:x:999:999:Kevin Fries:/home/kevin:/bin/bash
No problem. Postfix, Courier, vsFTP, Squirrelmail, SAMBA, etc pick up the local accounts and authenticate everyone via PAM.
Here is what I am trying to do:
I would prefer to remove the PADL libraries and have each of these programs authenticate directly against the LDAP information in a sealed system (no system accounts). I figured the first step towards this was to work over my mail and IMAP servers. Courier is causing me all kinds of headaches, and I would love to dump it for Cyrus IMAP. But in order to do that, I need to have Cyrus-SASL authenticating to my user accounts in LDAP first.
However, I can not even get saslauthd to work correctly! when I use testsaslauthd to validate an account, here is the results:
# testsaslauthd -u kevin -p sanitized 0: NO "authentication failed"
A check of the error logs, displays:
do_auth : auth failure: [user=kevin] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
"reason=Unknown", well at least the error message is clear, lol
Needless to say, the basic ldap tools don't work right without the -x (send in plain text) which I am trying to avoid.
# ldapsearch "uid=kevin" ldap_sasl_interactive_bind_s: No such object (32)
I am not trying to get cute here. I just want OpenLDAP to store all my user data, and SASL to authenticate against it. Once that is in place, it open a new set of options such as SMTP-AUTH for the Postfix server (hopefully against CRAM-MD5 or some other highly encrypted mechanism) and Cyrus IMAP.
But, until I can get the simple working, the more complex is simply out of the question. Can anyone point me in the right direction. Some documentation, or How-to that does not include Kerberos (yeah found lots of those) and is discussing the direction I am trying to go?
Here are my conf files: # cat /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=ldap FLAGS=
# cat /etc/saslauthd.conf ldap_servers: ldap://127.0.0.1 ldap_bind_dn: cn=manager,dc=example,dc=com ldap_bind_ps: privledged
# cat /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/pureftpd.schema include /etc/openldap/schema/postfix.schema include /etc/openldap/schema/mozillaAbPersonObsolete.schema include /etc/openldap/schema/qmail.schema
defaultsearchbase "dc=example,dc=com"
access to dn=".*,dc=example,dc=com" attr=userPassword
by dn="cn=Manager,dc=example,dc=com" write
by self write
by * authaccess to dn=".*,dc=example,dc=com" attr=mail
by dn="cn=Manager,dc=example,dc=com" write
by self write
by * readaccess to dn=".*,ou=People,dc=example,dc=com"
by * readaccess to dn=".*,dc=example,dc=com"
by self write
by * readdatabase ldbm dbcachesize 2000000 suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw privledged directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq
index uidNumber eq index gidNumber eq index memberUid eq
index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
index mailAlternateAddress eq index mail sub,eq index givenName sub,eq
# cat /etc/ldap.conf host 127.0.0.1 base dc=example,dc=com rootbinddn cn=manager,dc=example,dc=com scope sub pam_filter objectclass=posixaccount ssl no pam_password md5
-- Kevin Fries Network Administrator Hydrologic Consultants, Inc of Colorado (303) 969-8033 FAX: (303) 969-8357
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
