[KLUG Members] debug ldap failure
Richard Harding
members@kalamazoolinux.org
Tue, 09 Dec 2003 18:55:43 -0500
Adam Williams wrote:
>>I wanted to start playing with my ldap goals and found this nice article
>>on ldap and exim...it's just something to start playing with at the moment.
>>
>>
>
>I don't know anything about exim, but if you've seen one MTA you've
>seen 'em all.
>
>
>
>>I have courier and ldap set up. I managed to add a user and set up the
>>users mailbox. Once you have courier set up to authenticate to ldap the
>>instructions have a line to test telnetting in with the ldap account,
>>which is failing.
>>
>>
>
>Is courier calling out to PAM, using saslauthd's direct LDAP support, or
>attempting to perform it's own bind test?
>
>
>
It is using its own bind. It is set up in the courier config. I set up
the authdaemon config to use ldap authentication.
##NAME: authmodulelist:0
#
# The authentication modules that are linked into authdaemond. The
# default list is installed. You may selectively disable modules simply
# by removing them from the following list. The available modules you
# can use are: authcustom authcram authuserdb authldap authpgsql
authmysql authp
#authmodulelist="authpam"
authmodulelist="authldap"
Then in the authldaprc file there is:
# Location of your LDAP server:
LDAP_SERVER localhost
LDAP_PORT 389
##NAME: LDAP_BASEDN:0
#
# Look for authentication here:
LDAP_BASEDN dc=home,dc=ricksweb,dc=com
LDAP_BINDPW kakcMyHc7D2pW2O4OjlG8Q/9lqJJkNxF
>>Now to debug this the author suggests running slapd from the command
>>line like so:
>>slapd -d1
>>Now when I do this and try to telnet to port 143 on another terminal I
>>see all kinds of work being done in the ldap query, but I am having a
>>really hard time making heads or tails of it.
>>
>>
>
>Yep, alot of it is noise, makes it hard to pick out the relevant parts.
>I think a debug level other than "1" would be more appopriate.
>
>I'd start at 256.
>
>Do you see anything in /var/log/messages or maillog from courier about
>why it thinks the authentication failed? I know that cyrus imapd puts
>out rather helpful messages (truly shocking!).
>
>
>
All I get in both mail.log and mail.err is:
Dec 9 18:45:36 debian imaplogin: LOGOUT, ip=[::ffff:127.0.0.1]
>>Here is the output when I try to auth in its entirety.
>>ldap_pvt_gethostbyname_a: host=localhost, r=0
>>put_filter: "(objectclass=*)"
>>put_filter: simple
>>put_simple_filter: "objectclass=*"
>>
>>
>
>A rather scarey filter. Seems you should skinny this down somehow.
>
>
>
I don't have anything but a few records in there right now so I have not
worried about thinning it yet.
Thanks for the help.
-Rick