[KLUG Members] debug ldap failure

[Richard Harding]

Adam Williams wrote:

>>I wanted to start playing with my ldap goals and found this nice article 
>>on ldap and exim...it's just something to start playing with at the moment.
>>    
>>
>
>I don't know anything about exim,  but if you've seen one MTA you've
>seen 'em all.
>
>  
>
>>I have courier and ldap set up. I managed to add a user and set up the 
>>users mailbox. Once you have courier set up to authenticate to ldap the 
>>instructions have a line to test telnetting in with the ldap account, 
>>which is failing.
>>    
>>
>
>Is courier calling out to PAM, using saslauthd's direct LDAP support, or
>attempting to perform it's own bind test?
>
>  
>
It is using its own bind. It is set up in the courier config. I set up 
the authdaemon config to use ldap authentication.
    ##NAME: authmodulelist:0
    #
    # The authentication modules that are linked into authdaemond.  The
    # default list is installed.  You may selectively disable modules simply
    # by removing them from the following list.  The available modules you
    # can use are: authcustom authcram authuserdb authldap authpgsql 
authmysql authp

    #authmodulelist="authpam"
    authmodulelist="authldap"


Then in the authldaprc file there is:
    # Location of your LDAP server:

    LDAP_SERVER             localhost
    LDAP_PORT               389

    ##NAME: LDAP_BASEDN:0
    #
    # Look for authentication here:

    LDAP_BASEDN             dc=home,dc=ricksweb,dc=com
    LDAP_BINDPW             kakcMyHc7D2pW2O4OjlG8Q/9lqJJkNxF



>>Now to debug this the author suggests running  slapd from the command 
>>line like so:
>>slapd -d1
>>Now when I do this and try to telnet to port 143 on another terminal I 
>>see all kinds of work being done in the ldap query, but I am having a 
>>really hard time making heads or tails of it.
>>    
>>
>
>Yep, alot of it is noise, makes it hard to pick out the relevant parts.
>I think a debug level other than "1" would be more appopriate.
>
>I'd start at 256.
>
>Do you see anything in /var/log/messages or maillog from courier about
>why it thinks the authentication failed?  I know that cyrus imapd puts
>out rather helpful messages (truly shocking!).
>
>  
>
All I get in both mail.log and mail.err is:
    Dec  9 18:45:36 debian imaplogin: LOGOUT, ip=[::ffff:127.0.0.1]


>>Here is the output when I try to auth in its entirety.
>>ldap_pvt_gethostbyname_a: host=localhost, r=0
>>put_filter: "(objectclass=*)"
>>put_filter: simple
>>put_simple_filter: "objectclass=*"
>>    
>>
>
>A rather scarey filter.  Seems you should skinny this down somehow.
>
>  
>
I don't have anything but a few records in there right now so I have not 
worried about thinning it yet.


Thanks for the help.

-Rick