problems with cyrus sasl ldap pam authentication

nikolay.nenchev at rbb.bg nikolay.nenchev at rbb.bg
Wed Sep 21 03:00:22 EDT 2005


> On Tue, Sep 20, 2005 at 05:53:22PM +0300, nikolay.nenchev at rbb.bg wrote:
>> Also log from auth.log is:
>> Sep 20 17:42:23 localhost saslauthd[9440]: pam_ldap: ldap_search_s No
>> such
>> object
>> Sep 20 17:42:23 localhost saslauthd[9440]: DEBUG: auth_pam:
>> pam_authenticate failed: Permission denied
>> Sep 20 17:42:23 localhost saslauthd[9440]: do_auth         : auth
>> failure:
>> [user=cyrus] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>
> Use high debug level.
> Look in your /etc/ldap.conf
>
> My worked config:
> uri ldap://localhost/
> base ou=users,o=oilspace
> ldap_version 3
> pam_filter objectClass=posixAccount
> pam_login_attribute uid
> pam_password md5
>
> ssl start_tls
> tls_cacertfile /etc/openldap/ssl/cacert.pem
> tls_checkpeer yes
>
> # Password is stored in /etc/ldap.secret (mode 600)
> rootbinddn xxxxx
>
> scope sub
> nss_base_passwd ou=users,o=oilspace?sub?objectClass=posixAccount
> nss_base_shadow ou=users,o=oilspace?sub?objectClass=posixAccount
> nss_base_group ou=groups,o=oilspace?sub?objectClass=posixGroup
>
> WBR
> --
> Dmitriy Kirhlarov
> OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
> P:+7 095 105 7247 F:+7 095 105 7246 E:DmitriyKirhlarov at oilspace.com
> OILspace - The resource enriched - www.oilspace.com
>

I have made changes in /etc/ldap/ldap.conf and changes in ldap entries,
and now it looks like:

mail2:/etc/ldap# more ldap.conf
BASE    dc=rbb,dc=bg
URI     ldap://localhost/
ldap_version 3
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password md5
TLS_REQCERT     allow

mail2:/etc/ldap# ldapsearch -x -H ldap://127.0.0.1/ -b 'dc=rbb,dc=bg'
'(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=rbb,dc=bg> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# rbb.bg
dn: dc=rbb,dc=bg
objectClass: top
objectClass: dcObject
objectClass: organization
dc: rbb
o: RBBG

# cyrus, rbb.bg
dn: cn=cyrus,dc=rbb,dc=bg
cn: cyrus
sn: cyrus
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: cyrus
gidNumber: 10000
homeDirectory: /home/cyrus
uidNumber: 10000

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
mail2:/etc/ldap#


I have started slapd -d 10 and receive some confusing information:
##cyradm --user cyrus --auth login localhost
IMAP Password:
              Login failed: authentication failure at
/usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118
cyradm: cannot authenticate to server with mech login as user cyrus

and

mail2:/etc/ldap# slapd -d 10
@(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 08:52:42) $
        @pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd
daemon: IPv6 socket() failed errno=97 (Address family not supported by
protocol)
bdb_db_init: Initializing BDB database
slapd starting
daemon: added 6r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 11
daemon: added 11r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 60 07 02                            0....`..
ldap_read: want=6, got=6
  0000:  01 03 04 00 80 00                                  ......
ldap_read: want=8 error=Resource temporarily unavailable
daemon: select: listen=6 active_threads=0 tvp=NULL
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
ldap_read: want=8, got=8
  0000:  30 6f 02 01 02 63 6a 04                            0o...cj.
ldap_read: want=105, got=105
  0000:  0d 64 63 3d 72 62 62 2c  64 63 3d 6e 65 74 0a 01   .dc=rbb,dc=net..
  0010:  02 0a 01 00 02 01 01 02  01 1e 01 01 00 a0 48 a3   ..............H.
  0020:  1b 04 0b 6f 62 6a 65 63  74 63 6c 61 73 73 04 0c   ...objectclass..
  0030:  70 6f 73 69 78 41 63 63  6f 75 6e 74 a3 1b 04 0b   posixAccount....
  0040:  6f 62 6a 65 63 74 63 6c  61 73 73 04 0c 70 6f 73   objectclass..pos
  0050:  69 78 41 63 63 6f 75 6e  74 a3 0c 04 03 75 69 64   ixAccount....uid
  0060:  04 05 63 79 72 75 73 30  00                        ..cyrus0.
connection_input: conn=0 deferring operation: binding
daemon: select: listen=6 active_threads=0 tvp=NULL
  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 65 07 0a  01 20 04 00 04 00         0....e... ....
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
ldap_read: want=8, got=7
  0000:  30 05 02 01 03 42 00                               0....B.
ldap_read: want=8 error=Resource temporarily unavailable
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
ldap_read: want=8, got=0

daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: removing 11

And the confusing comes from information that it searches user in
dc=rbb,dc=net, not in dc=rbb,dc=bg

For sure I'm losing something but where my misconfig is?

Regards,
Nikolay Nenchev



More information about the Cyrus-sasl mailing list