Hi to everybody, I have a problem cyrus & Ldap.
Ok, here is the problem:
I have setuped correctly a LDAP database on a RH7.1 box (openldap-2.0.7).
On the LDAP database I have imported /etc/passwd and /etc/group. I've
modified /etc/pam.d/login to test if it is possible to validate against my
ldap, and it works OK.
Now, I want that my imap server (cyrus-imap) authentificates the users
using PAM. To accomplish I have modified this line on the /etc/imap.conf
file:
/etc/imap.conf:
sasl_pwcheck_method: pam
and this one:
/etc/pam.d/imap:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
After that I try to see if it works ok:
[root@ipsilon /etc]# /usr/bin/imtest -m login -a drio localhost
C: C01 CAPABILITY
S: * OK ipsilon Cyrus IMAP4 v2.0.12 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN drio {5}
+ go ahead
C: <omitted>
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
This is the log output:
Jul 12 14:07:37 ipsilon imap(pam_unix)[3365]: authentication failure;
logname= uid=76 euid=76 tty= ruser= rhost= user=drio
Then I try to make the authentification using LDAP, so I comment the
other two lines and add on /etc/pam.d/imap file this ones:
auth sufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_ldap.so
Now I tried again:
[root@ipsilon /etc]# /usr/bin/imtest -m login -a drio localhost
C: C01 CAPABILITY
S: * OK ipsilon Cyrus IMAP4 v2.0.12 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN drio {4}
+ go ahead
C: <omitted>
failure: prot layer failure
This is the log output:
Jul 12 14:16:55 ipsilon imapd[4219]: pam_ldap: error trying to bind as
user "uid=drio,ou=People,o=pruebas" (Invalid credentials)
By the way, It is more important for my validate the users using ldap
because I will do it in this way on the future.
I hope you'll will be able to tell what's the hell is going on here....
One thing more, a curious thing:
#######################################################################
### /var/log/slapd.log: trace of a ldap query from the pam_ldap.so linked
### in the login binary.
########################################################################
Jul 12 16:42:47 ipsilon slapd[4865]: daemon: conn=29 fd=7 connection from
IP=192.168.1.40:33600 (IP=0.0.0.0:389) accepted.
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=0 BIND dn="" method=128
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=0 RESULT tag=97 err=0
text=
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=1 SRCH base="o=pruebas"
scope=2 filter="(uid=drio)"
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=1 SEARCH RESULT tag=101
err=0 text=
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=2 BIND
dn="UID=DRIO,OU=PEOPLE,O=PRUEBAS"
method=128
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=2 RESULT tag=97 err=0
text=
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=3 BIND dn="" method=128
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=3 RESULT tag=97 err=0
text=
Jul 12 16:42:58 ipsilon slapd[4865]: conn=29 op=4 UNBIND
Jul 12 16:42:58 ipsilon slapd[4865]: conn=-1 fd=7 closed
#######################################################################
### /var/log/slapd.log: trace of a ldap query from the pam_ldap.so linked
### in the imapd binary.
########################################################################
Jul 12 16:43:56 ipsilon slapd[4865]: daemon: conn=30 fd=7 connection from
IP=192.168.1.40:33610 (IP=0.0.0.0:389) accepted.
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=0 BIND dn="" method=128
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=0 RESULT tag=97 err=0
text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=1 SRCH base="o=pruebas"
scope=2 filter="(uid=drio)"
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=1 SEARCH RESULT tag=101
err=0 text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=2 BIND
dn="UID=DRIO,OU=PEOPLE,O=PRUEBAS"
method=128
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=2 RESULT tag=97 err=0
text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=3 BIND dn="" method=128
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=3 RESULT tag=97 err=0
text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=4 UNBIND
Jul 12 16:43:56 ipsilon slapd[4865]: conn=-1 fd=7 closed
it seems ok? the query is the same.
Thank you in advance.
