I am faced with the same "signaled to death by 11" problem on RH 7.1
that has been reported in this list several times before. I think I
understand the problem, but I need a little coaching to implement a
solution.
Here's the problem: whenever I login correctly,
# telnet localhost imap
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK sartre.rprc.washington.edu Cyrus IMAP4 v2.0.16 server ready
. login <username> <password>
Connection closed by foreign host.
the connection closes, and the spawned imapd process
imapd[16162]: login: localhost.localdomain[127.0.0.1] <username>
plaintext
imapd[16192]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT):
Unknown error
imapd[16192]: pam_ldap: _set_ssl_options failed
master[16154]: process 16192 exited, signaled to death by 11
dies ignominiously.
I am using
sasl_pwcheck_method: PAM
and pam_ldap to authenticate against an OpenLDAP database. Note that
pam_ldap complains that it has been passed an option
LDAP_OPT_X_TLS_REQUIRE_CERT
with which it is unfamiliar
My guess is that the LDAP_OPT_X_TLS_REQUIRE_CERT option is the problem.
Needless to say, that means the the previously touted explanations
regarding Berkley DB linking problems are red herrings.
So... how can I get cyrus-imap not to require TLS for a plaintext login?
I realize the cyrus team thinks they are doing me a favour by requiring
this, but there really needs to be a simple way to disable it in
configuration files. Also, imapd certainly shouldn't be comiting suicide
just because a PAM module doesn't understand its request for some
exceedingly obscure LDAP_OPT_X option.
Additional information of dubious use, follows..................
If I login with an incorrect password,
# telnet localhost imap
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK sartre.rprc.washington.edu Cyrus IMAP4 v2.0.16 server ready
. login <username> <wrong-password>
. NO Login failed: authentication failure
the authentication fails, but nobody dies.
If I use another PAM module instead of pam_ldap, for example the trivial
pam_permit, which always returns success, it all works. I (and, of
course, everyone else in the world) can login successfully, and nobody
dies! However, lest you think that a hopelessly buggy pam_ldap is the
problem, you should know that the selfsame pam_ldap is working fine with
about 42 other services I offer (login, netatalk, passwd, samba, ssh,
...) including an old cyrus-imapd-1.6.24 installation on another machine.
The relevant version numbers are
cyrus-imapd-2.0.16 (compiled from source)
cyrus-sasl-1.5.24 (from cyrus.sasl-1.5.24-17.i386.rpm)
Berkely DB 3.3.1 (from db3-3.1.17-7.i386.rpm)
pam_ldap-122 (compiled from source)
in case that helps anyone.
