[KLUG Members] debug ldap failure

[Richard Harding]

Adam Williams wrote:
>>>>I wanted to start playing with my ldap goals and found this nice article 
>>>>on ldap and exim...it's just something to start playing with at the moment.
>>>
>>>I don't know anything about exim,  but if you've seen one MTA you've
>>>seen 'em all.
>>>
>>>>I have courier and ldap set up. I managed to add a user and set up the 
>>>>users mailbox. Once you have courier set up to authenticate to ldap the 
>>>>instructions have a line to test telnetting in with the ldap account, 
>>>>which is failing.
>>>
>>>Is courier calling out to PAM, using saslauthd's direct LDAP support, or
>>>attempting to perform it's own bind test?
> 
> 
> Can you perform a bind using "ldapsearch"?
> 
> ldapsearch -a never -b "o=Morrison Industries,c=US" -D "cn=Adam
> Williams,ou=People,o=Morrison Industries,c=US" -h littleboy -x -w
> ******** uid=adam
> 
I can as my admin user account, but not as any of the other users I have 
entered into the system. The userPassword field on the admin account is 
crypt while the users are added as ssha passwords though. Should I be 
able to use the mix types? I thought as long as the password started out 
with the type it would work out.

> 
>>It is using its own bind. It is set up in the courier config. I set up 
>>the authdaemon config to use ldap authentication.
>>    ##NAME: authmodulelist:0
>>    #
>>    # The authentication modules that are linked into authdaemond.  The
>>    # default list is installed.  You may selectively disable modules simply
>>    # by removing them from the following list.  The available modules you
>>    # can use are: authcustom authcram authuserdb authldap authpgsql 
>>authmysql authp
>>    #authmodulelist="authpam"
>>    authmodulelist="authldap"
> 
> 
> Assuming this is really doing the same thing as saslauthd does (probably
> just less efficiently).
> 
> 
>>Then in the authldaprc file there is:
>>    # Location of your LDAP server:
>>    LDAP_SERVER             localhost
>>    LDAP_PORT               389
>>    ##NAME: LDAP_BASEDN:0
>>    #
>>    # Look for authentication here:
>>    LDAP_BASEDN             dc=home,dc=ricksweb,dc=com
>>    LDAP_BINDPW             kakcMyHc7D2pW2O4OjlG8Q/9lqJJkNxF
> 
> 
> Why on earth does it need bind credentials to authenticate users?  And
> you have a binding password but no bind dn.  I don't know anything about
> Courier, but this smells funny.
> 
I must not have pasted this right. There is a LDAP_BINDDN. I think it 
needs bind credentials to check the userPassword field as it is limited 
to admin and it's own user. Perhaps I am way off base on this though.

> 
>>>Do you see anything in /var/log/messages or maillog from courier about
>>>why it thinks the authentication failed?  I know that cyrus imapd puts
>>>out rather helpful messages (truly shocking!).
>>
>>All I get in both mail.log and mail.err is:
>>    Dec  9 18:45:36 debian imaplogin: LOGOUT, ip=[::ffff:127.0.0.1]
> 
> 
> Nothing in /var/log/secure?
> 

I don't have a /var/log/secure or anything else I can see that would 
come close.