cyrus - sasl - pam - ldap strange error with libsldap

Sam Smith sam.smith at ece.gatech.edu
Mon Sep 18 13:00:51 EDT 2006


Andreas Winkelmann wrote:
> Am Thursday 14 September 2006 18:23 schrieb Sam Smith:
>
>   
>> We've been using cyrus faithfully with pam->NIS for years, but I have to
>> change to pam->LDAP.
>> I'm using saslauthd -a pam, with a solaris 9 box that authenticates just
>> fine using pam->ldap to a fedora directory server.
>>
>> I'm using cyrus 2.3.7, and sasl 2.1.22. I did not compile in ldap
>> support for sasl, since I am using pam.
>>
>> Anyway, here's the error:
>>
>> Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 379946
>> local6.notice] starttls: TLSv1 with cipher AES256-SHA (256/256 bits
>> reused) no authentication
>> Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 293258
>> local6.error] libsldap: Status: 91  Mesg: openConnection: failed to
>> initialize TLS security (security library: bad database.)
>> Sep 14 12:07:19 tsnfs.ece.gatech.edu last message repeated 1 time
>> Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 292100
>> local6.warning] libsldap: could not remove ldapserv.ece.gatech.edu from
>> servers list
>> Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 293258
>> local6.error] libsldap: Status: 7  Mesg: Session error no available conn.
>> Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 529592
>> local6.notice] login: ct5247.ece.gatech.edu [199.77.225.131] sam
>> plain+TLS User logged in
>>
>> I am able to login with most clients (thunderbird, outlook, eudora), but
>> I cannot login with squirrelmail. That's very strange. Squirrelmail logs
>> in twice for some reason, and the second time always fails.
>>
>> Is this a cyrus or a sasl error? Or maybe a pam_ldap error?
>>
>> Of course, if I change back to pam->NIS, everything works great, but
>> that's not an option.
>>     
>
> Your configuration?
>
> And, stop saslauthd and start it with an additional "-d" for Debug-Output out 
> of a shell. Test it and show the Output.
>
>   
Thanks Andrew,
The saslauthd output when run in debug mode while I login - doesn't show 
any problems:
saslauthd[2193] :main            : num_procs  : 5
saslauthd[2193] :main            : mech_option: NULL
saslauthd[2193] :main            : run_path   : /var/state/saslauthd
saslauthd[2193] :main            : auth_mech  : pam
saslauthd[2193] :ipc_init        : using accept lock file: 
/var/state/saslauthd/mux.accept
saslauthd[2193] :detach_tty      : master pid is: 0
saslauthd[2193] :ipc_init        : listening on socket: 
/var/state/saslauthd/mux
saslauthd[2193] :main            : using process model
saslauthd[2193] :have_baby       : forked child: 2194
saslauthd[2194] :get_accept_lock : acquired accept lock
saslauthd[2193] :have_baby       : forked child: 2195
saslauthd[2193] :have_baby       : forked child: 2196
saslauthd[2193] :have_baby       : forked child: 2197
saslauthd[2194] :rel_accept_lock : released accept lock
saslauthd[2195] :get_accept_lock : acquired accept lock
saslauthd[2194] :do_auth         : auth success: [user=sam] 
[service=imap] [realm=] [mech=pam]
saslauthd[2194] :do_request      : response: OK

The log file during that login, showing the funny libsldap errors:
Sep 18 12:49:25 tsnfs.ece.gatech.edu imaps[2205]: [ID 921384 
local6.debug] accepted connection
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 636471 
local6.notice] TLS server engine: ca
nnot load CA data
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 379946 
local6.notice] starttls: TLSv1 with
cipher AES256-SHA (256/256 bits new) no authentication
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 293258 
local6.error] libsldap: Status: 91
Mesg: openConnection: failed to initialize TLS security (security 
library: bad database.)
Sep 18 12:49:26 tsnfs.ece.gatech.edu last message repeated 1 time
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 292100 
local6.warning] libsldap: could not
remove ldapserv.ece.gatech.edu from servers list
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 293258 
local6.error] libsldap: Status: 7  M
esg: Session error no available conn.
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 529592 
local6.notice] login: ct5247.ece.
gatech.edu [199.77.225.131] sam plain+TLS User logged in
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 275131 
local6.notice] skiplist: recovered /
var/imap/user/s/sam.seen (55 records, 17648 bytes) in 0 seconds
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 677757 
local6.debug] seen_db: user sam open
ed /var/imap/user/s/sam.seen
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 736213 
local6.debug] open: user sam opened
INBOX


my imapd.conf:
configdirectory: /var/imap
servername: imap.ece.gatech.edu
defaultpartition: staff
partition-staff: /var/spool/imap/staff
partition-mailstore2: /var/spool/imap/mailstore2
partition-mailstore3: /var/spool/imap/mailstore3
partition-mailstore4: /var/spool/imap/mailstore4
partition-mailstore5: /var/spool/imap/mailstore5
partition-mailstore6: /var/spool/imap/mailstore6
admins: cyradmin cyrus
tls_cacert_dir: /etc/ece_conf/ssl
tls_cacert_file: /etc/ece_conf/ssl/cacert.pem
tls_cert_file: /etc/ece_conf/ssl/imapd.pem
tls_key_file: /etc/ece_conf/ssl/imapd.key
tls_session_timeout: 0
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
sasl_minimum_layer: 0
sasl_auto_transition: no
mailnotifier: mailto
sievenotifier: mailto
imapidresponse: 1

my cyrus.conf:
START {
  # do not delete these entries!
  recover       cmd="ctl_cyrusdb -r"

  # following 2 lines commented out when upgraded to 2.1.16
  # mboxlist    cmd="ctl_mboxlist -r"
  # deliver     cmd="ctl_deliver -r"

  # this is only necessary if using idled for IMAP IDLE
#  idled                cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
  # add or remove based on preferences
  cyradm        cmd="imapd" listen="localhost:imapadmin" prefork=0
  imap          cmd="imapd" listen="imap" prefork=0
  imaps         cmd="imapd -s" listen="imaps" prefork=0
  pop3          cmd="pop3d -s" listen="pop3" prefork=0
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
#  imap         cmd="imapd" listen="imapadmin" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=1

  # at least one LMTP is required for delivery
  lmtp         cmd="lmtpd -a" listen="lmtp" prefork=10 maxchild=-1
  lmtpunix     cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=10
  notify       cmd="notifyd" listen="/var/imap/socket/notify" 
proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression
  delprune      cmd="ctl_deliver -E 3" at=0400

  # for pruning cached SSL/TLS sessions
  tlsprune      cmd="tls_prune" at=0400
}

======

The ldap server shows that the connection was an ssl connection, and 
unix logins work fine with pam->ldap, so I am clueless what the libsldap 
errors are about. I didn't even compile cyrus with ldap.

Sam Smith


More information about the Info-cyrus mailing list