[pamldap] cyrus and pam

Sun Sep 8 13:12:45 EDT 2002

I'll just comment that if you use nsswitch for LDAP resolution on
Solaris 8 (and 9?), be careful if you use saslauthd with nscd.  If
you do, you'll probably need to run it like this:

  saslauthd -n 0 -a shadow

otherwise you'll quickly begin sucking up an ever increasing number
of file descriptors.  There seems to be some sort of file leak when
all the pieces above are put to use.

>>>>> On Fri, 30 Aug 2002 17:49:13 +0600 (GMT),
>>>>> deen  <deen at slt.lk> (d) writes:

d> in the normAL cyrus->ldap implementation do I need to build these config files.
d> /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred.
d> presently i do not have these.

d> Deen

d> At 11:09 AM 8/30/02 +0200, you wrote:
>> Hello,
>> for those who have problems to get Cyrus and PAM-LDAP working
>> on Solaris8 (as I had ...): We've written a small piece of code which
>> replaces the original pwcheck and speaks directly LDAP.
>> Just put it in the pwcheck directory of cyrus source code and
>> do some adjustments in the Makefile (please make sure
>> that OpenLDAP libs are linked).
>> 
>> Please note that this pwcheck_ldap.c uses the PAM-LDAP config files
>> /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred.
>> With one exception: I couldn't figure out what the algorithm
>> "{NS1}" for password hashing/encryption (???) is - so I created
>> a new file /var/ldap/pwcheck_ldap.conf which holds the clear text password.
>> 
>> This program is not perfect - e.g. I haven't checked it for memory leaks etc.
>> If anybody wants this to be integrated into Cyrus source code - please
>> feel free to do it.
>> 
>> http://keutel.de/cyrus-pwcheck-ldap/pwcheck_ldap.c
>> 
>> Best regards,  Jochen.
>> 
>>> -----Original Message-----
>>> From: owner-pamldap at PADL.COM [mailto:owner-pamldap at PADL.COM]On Behalf Of
>>> Alan Sparks
>>> Sent: Thursday, August 29, 2002 8:29 PM
>>> To: deen at slt.lk
>>> Cc: tarjei at nu.no; pamldap at padl.com
>>> Subject: RE: [pamldap] cyrus and pam
>>> 
>>> 
>>> I remember this was pretty weird... I built cyrus-sasl-1.5.27 with the
>>> following extra option:   --with-pwcheck=/var/pwcheck
>>> 
>>> This gave me a program '/usr/sbin/pwcheck' that needs to run before Cyrus
>>> is started.  It creates a named pipe in /var/pwcheck that is used by SASL
>>> to communicate to the external verifier program.
>>> 
>>> My /etc/imapd.conf file contains the directive:
>>> sasl_pwcheck_method: pwcheck
>>> 
>>> Should note that I do /not/ have any files for imap or pop in /etc/pam.d/.
>>> 
>>> That's the high points I recall on finally getting Cyrus/SASL to use PAM
>>> authentication.  Hope that gives some ideas on where to go.  YMMV on
>>> pathnames, depending on configure option.  Good luck.
>>> -Alan
>>> 
>>> 
>>> Deen said:
>>> >
>>> >
>>> > I have configured everything as required. What I am getting the error in
>>> > the log file is unknown password verifier, in auth.error. I have added
>>> > the particular user in OpenLDAP.
>>> >
>>> >
>>> > Regards,
>>> >
>>> > Deen
>>> >
>>> > -----Original Message-----
>>> > From: owner-pamldap at padl.com [mailto:owner-pamldap at padl.com]On Behalf Of
>>> > Tarjei Huse
>>> > Sent: Thursday, August 29, 2002 12:48 PM
>>> > To: Deen
>>> > Cc: pamldap at padl.com
>>> > Subject: Re: [pamldap] cyrus and pam
>>> >
>>> >
>>> > Quoting Deen <deen at slt.lk>:
>>> >
>>> >>
>>> >> Hello List,
>>> >>
>>> >> I am trying to configure Cyrus POP/IMAP server, such that it will use
>>> >> ldap for user validation. I am using the following.
>>> >>
>>> >> cyrus->pam->ldap.
>>> > How have you set up cyrus-sasl? I think you'll get more help on this one
>>> > on the
>>> > info-cyrus list :)
>>> > PS: cyrus-utils.sf.net/faq might help you
>>> > Tarjei
>>> >
>>> > -------------------------------------------------
>>> > This mail sent through IMP: http://horde.org/imp/
>>> 
>>> 
>>> ===========
>>> Alan Sparks, UNIX/Linux Systems Administrator    
>>> <asparks at doublesparks.net>
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 

-- 
Amos