Courier IMAP authldap with OpenLDAP
I was wondering if anyone is success fully running openldap from the debian
packages with Courier IMAP's LDAP module for authentication.
I am getting strange timeouts on a remote client which is preventing successful
authentication.
I have tested logins with both Netscape and Mulberry.
Mulberry gives me a timeout on successful authentication. It gives me
an authentication error with the wrong password.
Same with Netscape.
I don't know how to get around this.
remote client
|
[IMAP server]---auth----[LDAP Server]
I am using the woody packages for Courier IMAP and Open-LDAP.
ii courier-authda 0.37.3-1 Courier Mail Server authentication
ii courier-base 0.37.3-1 Courier Mail Server Base System
ii courier-debug 0.37.3-1 Debugging Tools for Courier Mail
ii courier-doc 0.37.3-1 Documentation for the Courier Mail
ii courier-imap 1.4.3-1 IMAP daemon with PAM and Maildir
ii courier-ldap 0.37.3-1 LDAP support for Courier Mail Server
ii maildrop 1.3.7-2 mail delivery agent with filtering
The courier debugger on the server tells me that everything is working fine.
It gets all the data it should.
imap-mail:/home/ted# courierauthtest tester1 tester1
Authenticated: module authdaemon
Home directory: /home/staff/tester1
UID/GID: 1001/1001
AUTHADDR=tester1
AUTHFULLNAME=test t. tinker
I noticed something in the authldaprc file about openldap having
memory leaks. Does anyone have any info on this ?
##VERSION: $Id: authldaprc,v 1.12 2001/11/19 01:04:17 mrsam Exp $
#
# Copyright 2000-2001 Double Precision, Inc. See COPYING for
# distribution information.
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# authldaprc created from authldaprc.dist by sysconftool
#
# DO NOT INSTALL THIS FILE with world read permissions. This file
# might contain the LDAP admin password!
#
# This configuration file specifies LDAP authentication parameters
#
# The format of this file must be as follows:
#
# field[spaces|tabs]value
#
# That is, the name of the field, followed by spaces or tabs, followed
# by
# field value. No trailing spaces.
#
# Here are the fields:
##NAME: LOCATION:0
#
# Location of your LDAP server:
#LDAP_SERVER ldap.example.com
LDAP_SERVER 209.243.37.9
LDAP_PORT 389
##NAME: LDAP_BASEDN:0
#
# Look for authentication here:
#LDAP_BASEDN o=example, c=com
LDAP_BASEDN ou=mailaccounts,dc=washcoll,dc=edu
##NAME: LDAP_BINDDN:0
# You may or may not need to specify the following. Because you've got
# a password here, authldaprc should not be world-readable!!!
#LDAP_BINDDN cn=administrator, o=example, c=com
LDAP_BINDDN cn=courier,dc=washcoll,dc=edu
LDAP_BINDPW couriersecret
#LDAP_BINDDN cn=admin,dc=washcoll,dc=edu
#LDAP_BINDPW secret
##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search
LDAP_TIMEOUT 10
LDAP_AUTHBIND 0
##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords. If
# LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and
# password.
# If rebind succeeds, this is considered to be an authenticated request.
# This
# does not support CRAM-MD5 authentication, which requires userPassword.
#
# WARNING - as of the time this note is written, there are memory leaks
# in
# OpenLDAP that affect this option, see ITS #1116 in openldap.org's bug
# tracker. Avoid using this option until these leaks are plugged.
#
# LDAP_AUTHBIND 1
##NAME: LDAP_MAIL:0
#
# Here's the field on which we query
LDAP_MAIL mail
##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly
# specified.
#
# LDAP_DOMAIN example.com
LDAP_DOMAIN washcoll.edu
##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and
# gid.
# This is convenient if your LDAP specifies a bunch of virtual mail
# accounts
# The values can be usernames or userids:
#
LDAP_GLOB_UID vmail
LDAP_GLOB_GID vmail
##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
LDAP_HOMEDIR homeDirectory
##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory. If not specified, ./Maildir will be used
#LDAP_MAILDIR mailDir
##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
LDAP_MAILDIRQUOTA Quota
#LDAP_MAILDIRQUOTA maildirQuota
##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name
LDAP_FULLNAME cn
##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password. CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
# libhmac.a is available, CRAM authentication will be possible!
LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword
##NAME: LDAP_IDS:0
#
# Uncomment the following, and modify as appropriate, if your LDAP
# database
# stores individual userids and groupids. Otherwise, you must uncomment
# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and
# LDAP_GLOB_GID
# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
# be defined as attributes for everyone.
#
#LDAP_UID uidNumber
#LDAP_GID gidNumber
##NAME: LDAP_DEREF:0
#
# Determines how aliases are handled during a search. This option is
# available
# only with OpenLDAP 2.0
#
# LDAP_DEREF can be one of the following values:
# never, searching, finding, always. If not specified, aliases are
# never dereferenced.
LDAP_DEREF never
##NAME: LDAP_TLS:0
#
# Set LDAP_TLS to 1 to enable LDAP over SSL/TLS. Experimental setting.
# Requires OpenLDAP 2.0
#
LDAP_TLS 0
My ldap info follows the example in the /usr/doc/courier-ldap package
dn: mail=useradmin2@washcoll.edu,ou=mailaccounts,dc=washcoll,dc=edu
objectclass: couriermailaccount
mail: useradmin2@washcoll.edu
mail: useradmin2
cn: mail user admin
uidNumber: 1001
gidNumber: 1001
homedirectory: /home/staff/useradmin2
quota: 10M
clearpassword: useradmin2
description: courier user admin no shell account
dn: mail=tester1@washcoll.edu,ou=mailaccounts,dc=washcoll,dc=edu
objectclass: couriermailaccount
cn: test t. tinker
homedirectory: /home/staff/tester1
mail: tester1@washcoll.edu
mail: tester1
uidNumber: 1001
gidNumber: 1001
quota: 10M
clearpassword: tester1
dn: mail=t.tinker@washcoll.edu,ou=mailaccounts,dc=washcoll,dc=edu
objectclass: CourierMailAlias
mail: t.tinker@washcoll.edu
maildrop: tester1
dn: mail=test.tinker@washcoll.edu,ou=mailaccounts,dc=washcoll,dc=edu
objectclass: CourierMailAlias
mail: test.tinker@washcoll.edu
maildrop: tester1
/etc/ldap/slapd.conf
#schemas define the things that can be stored
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
#courier IMAP
include /etc/ldap/schema/authldap.schema
schemacheck on
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=washcoll, dc=edu"
rootdn "cn=admin, dc=washcoll, dc=edu"
#change when working right
rootpw secret
replogfile /var/lib/ldap/replication.log
directory /var/lib/ldap/
loglevel 4
defaultaccess read
index cn,sn,uid,mail eq
index objectClass eq
#access Control list
#prevent passwords from being displayed in the address books
access to attr=userpassword,clearpassword,ldappassword
by dn="cn=admin,dc=washcoll,dc=edu" write
by dn="cn=courier,dc=washcoll,dc=edu" read
by dn="cn=postfix,dc=washcoll,dc=edu" read
by dn="mail=useradmin2,ou=mailaccounts,dc=washcoll,dc=edu" write
by self write
by anonymous auth
by * none
access to attr=objectclass
by dn="cn=admin,dc=washcoll,dc=edu" write
by dn="cn=courier,dc=washcoll,dc=edu" read
by * none
access to dn=".*,ou=mailaccounts,dc=washcoll,dc=edu"
by dn="cn=admin,dc=washcoll,dc=edu" write
by dn="mail=useradmin2,ou=mailaccounts,dc=washcoll,dc=edu" write
by * read
access to *
by dn="cn=admin,dc=washcoll,dc=edu"
write by * read
Some logs from LDAP:
Apr 11 23:38:00 moe2 slapd[3287]: connection_get(9)
Apr 11 23:38:00 moe2 slapd[3288]: ==> ldbm_back_bind: dn:
cn=courier,dc=washcoll,dc=edu
Apr 11 23:38:00 moe2 slapd[3288]: send_ldap_result: 0::
Apr 11 23:38:00 moe2 slapd[3287]: connection_get(9)
Apr 11 23:38:00 moe2 slapd[3288]: SRCH
"ou=mailaccounts,dc=washcoll,dc=edu" 2 0
Apr 11 23:38:00 moe2 slapd[3288]: 0 0 0
Apr 11 23:38:00 moe2 slapd[3288]: filter:
(mail=tester1@washcoll.edu)
Apr 11 23:38:00 moe2 slapd[3288]: attrs:
Apr 11 23:38:00 moe2 slapd[3288]: homeDirectory
Apr 11 23:38:00 moe2 slapd[3288]: cn
Apr 11 23:38:00 moe2 slapd[3288]: clearPassword
Apr 11 23:38:00 moe2 slapd[3288]: userPassword
Apr 11 23:38:00 moe2 slapd[3288]: mail
Apr 11 23:38:00 moe2 slapd[3288]: Quota
Apr 11 23:38:00 moe2 slapd[3288]:
Some logs from IMAP:
Apr 11 22:56:19 imap imaplogin: Connection, ip=[::ffff:192.146.226.201]
Apr 11 22:56:19 imap imaplogin: LOGIN, user=tester1,
ip=[::ffff:192.146.226.201]
Apr 11 22:56:50 imap imaplogin: Connection, ip=[::ffff:192.146.226.201]
Apr 11 22:56:50 imap imaplogin: LOGIN, user=tester1,
ip=[::ffff:192.146.226.201]
I was testing from this script with this one, but even with the client
nothing out of the ordinary is logged.
#!/usr/bin/perl
use Mail::IMAPClient;
my $imap = Mail::IMAPClient->new( Server => '192.146.226.8',
User => 'tester1',
Password => 'tester1',
);
# $imap->Debug($opt_d);
# my @folders = $imap->folders;
foreach my $f (@folders) {
print "$f is a folder with ",
$imap->message_count($f),
" messages.\n";
}
---------------------
Ted Knab
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: