[KLUG Members] debug ldap failure
Richard Harding
members@kalamazoolinux.org
Wed, 10 Dec 2003 10:08:59 -0500
Adam Williams wrote:
>>>>I wanted to start playing with my ldap goals and found this nice article
>>>>on ldap and exim...it's just something to start playing with at the moment.
>>>
>>>I don't know anything about exim, but if you've seen one MTA you've
>>>seen 'em all.
>>>
>>>>I have courier and ldap set up. I managed to add a user and set up the
>>>>users mailbox. Once you have courier set up to authenticate to ldap the
>>>>instructions have a line to test telnetting in with the ldap account,
>>>>which is failing.
>>>
>>>Is courier calling out to PAM, using saslauthd's direct LDAP support, or
>>>attempting to perform it's own bind test?
>
>
> Can you perform a bind using "ldapsearch"?
>
> ldapsearch -a never -b "o=Morrison Industries,c=US" -D "cn=Adam
> Williams,ou=People,o=Morrison Industries,c=US" -h littleboy -x -w
> ******** uid=adam
>
I can as my admin user account, but not as any of the other users I have
entered into the system. The userPassword field on the admin account is
crypt while the users are added as ssha passwords though. Should I be
able to use the mix types? I thought as long as the password started out
with the type it would work out.
>
>>It is using its own bind. It is set up in the courier config. I set up
>>the authdaemon config to use ldap authentication.
>> ##NAME: authmodulelist:0
>> #
>> # The authentication modules that are linked into authdaemond. The
>> # default list is installed. You may selectively disable modules simply
>> # by removing them from the following list. The available modules you
>> # can use are: authcustom authcram authuserdb authldap authpgsql
>>authmysql authp
>> #authmodulelist="authpam"
>> authmodulelist="authldap"
>
>
> Assuming this is really doing the same thing as saslauthd does (probably
> just less efficiently).
>
>
>>Then in the authldaprc file there is:
>> # Location of your LDAP server:
>> LDAP_SERVER localhost
>> LDAP_PORT 389
>> ##NAME: LDAP_BASEDN:0
>> #
>> # Look for authentication here:
>> LDAP_BASEDN dc=home,dc=ricksweb,dc=com
>> LDAP_BINDPW kakcMyHc7D2pW2O4OjlG8Q/9lqJJkNxF
>
>
> Why on earth does it need bind credentials to authenticate users? And
> you have a binding password but no bind dn. I don't know anything about
> Courier, but this smells funny.
>
I must not have pasted this right. There is a LDAP_BINDDN. I think it
needs bind credentials to check the userPassword field as it is limited
to admin and it's own user. Perhaps I am way off base on this though.
>
>>>Do you see anything in /var/log/messages or maillog from courier about
>>>why it thinks the authentication failed? I know that cyrus imapd puts
>>>out rather helpful messages (truly shocking!).
>>
>>All I get in both mail.log and mail.err is:
>> Dec 9 18:45:36 debian imaplogin: LOGOUT, ip=[::ffff:127.0.0.1]
>
>
> Nothing in /var/log/secure?
>
I don't have a /var/log/secure or anything else I can see that would
come close.