[KLUG Members] debug ldap failure

[Adam Williams]

> > Can you perform a bind using "ldapsearch"? 
> > ldapsearch -a never -b "o=Morrison Industries,c=US" -D "cn=Adam
> > Williams,ou=People,o=Morrison Industries,c=US" -h littleboy -x -w
> > ******** uid=adam
> I can as my admin user account, but not as any of the other users I have 
> entered into the system. The userPassword field on the admin account is 
> crypt while the users are added as ssha passwords though. Should I be 
> able to use the mix types? I thought as long as the password started out 
> with the type it would work out.

Your correct.  If you can't bind as a user with the user's password then
something is wrong deep inside your configuration.

...
> >>    #authmodulelist="authpam"
> >>    authmodulelist="authldap"
> > Assuming this is really doing the same thing as saslauthd does (probably
> > just less efficiently).
> >>Then in the authldaprc file there is:
> >>    # Location of your LDAP server:
> >>    LDAP_SERVER             localhost
> >>    LDAP_PORT               389
> >>    ##NAME: LDAP_BASEDN:0
> >>    #
> >>    # Look for authentication here:
> >>    LDAP_BASEDN             dc=home,dc=ricksweb,dc=com
> >>    LDAP_BINDPW             kakcMyHc7D2pW2O4OjlG8Q/9lqJJkNxF
> > Why on earth does it need bind credentials to authenticate users?  And
> > you have a binding password but no bind dn.  I don't know anything about
> > Courier, but this smells funny.
> I must not have pasted this right. There is a LDAP_BINDDN. I think it 
> needs bind credentials to check the userPassword field as it is limited 
> to admin and it's own user. Perhaps I am way off base on this though.

I hope your "way off base" or the security of this authentication method
is an absolute joke.  You shouldn't need anything but read[search]
access to any attributes other than objectclass and uid to perform
authentication;  and those attributes are almost always available via an
anonymous bind.  YOU DO *NOT* NEED READ ACCESS TO THE userPassword
ATTRIBUTE IN ORDER TO AUTHENTICATE USERS.  You simply locate the DN by
searching for the uid via an objectclass filtered anonymous bind.  Then
you attempt a bind with that DN and the password provided by the user. 
If the bind fails the username/password is wrong, if it succeeds the
username/password is correct.  No cryptographic information should ever
be nor ever needs to be exposed for user authentication.

> >>>Do you see anything in /var/log/messages or maillog from courier about
> >>>why it thinks the authentication failed?  I know that cyrus imapd puts
> >>>out rather helpful messages (truly shocking!).
> >>All I get in both mail.log and mail.err is:
> >>    Dec  9 18:45:36 debian imaplogin: LOGOUT, ip=[::ffff:127.0.0.1]
> > Nothing in /var/log/secure?
> I don't have a /var/log/secure or anything else I can see that would 
> come close.

Hm, must be a distro thing.