Ptloader configuration in Cyrus IMAP

Thu Aug 20 04:54:23 EDT 2009

Thank you for your suggestions! They helped me a great deal.
The situation is better now, in a sense that ptloader connects to LDAP
and finds something.

After corrections my imapd.conf:

auth_mech: pts
pts_module: ldap
ptloader_sock: /var/lib/imap/socket/ptsock
ldap_uri: ldaps://ldap.example.com:636
ldap_sasl: 0
ldap_size_limit: 20
ldap_filter: (uid=%U)
ldap_group_filter: (cn=%u)
ldap_member_method: filter
ldap_member_filter: (memberUid=%u)
ldap_member_attribute: cn
ldap_base: dc=example,dc=com
ldap_group_base: ou=groups,ou=people,dc=example,dc=com
ldap_member_base: ou=groups,ou=people,dc=example,dc=com

The LDAP now looks as following:

dn: cn=admins,ou=groups,ou=people,dc=example,dc=com
cn: admins
memberUid: earbatov
memberUid: user

I modified the permissions for the admins group:

sam user/postmaster group:admins lrswipkxte

The logs for ptloader now have:

 mail imaps[17540]: ptload(): pinging ptloader
 mail imaps[17540]: connected with no delay
 mail imaps[17540]: ptload(): connected
 mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp =
0x4aa71af0, sec = 30
 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0
 mail ptloader[17538]: accepted connection
 mail imaps[17540]: ptload sent data
 mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp =
0x0, sec = 30
 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0
 mail imaps[17540]: ptload read data back
 mail imaps[17540]: ptload(): empty response from ptloader server
 mail master[17508]: process 17538 exited, signaled to death by 11
 mail master[17508]: service ptloader pid 17538 in READY state:
terminated abnormally
 mail imaps[17540]: No data available at all from ptload()
 mail imaps[17540]: ptload completely failed: unable to canonify
identifier: earbatov
 mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext
earbatov invalid user
 mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader
 mail ptloader[17613]: executed
 mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25
07:19:06 shadow Exp $

The LDAP logs show this:

ldap slapd[30259]: conn=20 op=2 SRCH
base="ou=groups,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(memberUid=earbatov)"
ldap slapd[30259]: conn=20 op=2 SRCH attr=cn
ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

And the ptdump tells:

user: admins time: 1250751529 groups: 0
user: cyrusimap time: 1250751556 groups: 0
user: group:admins time: 1250751780 groups: 0
user: postmaster time: 1250751701 groups: 0

Needless to say, the authorization fails, without even giving me
access to usual, not shared mailboxes.

>> EA> pts_module: ldap
>>
>> This module is currently very difficult to configure, IMHO.
> That's true. :) But it's doable.

I would be glad not to use this pts_module, but if I leave it to defaults I see:

 mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25
07:19:06 shadow Exp $
 mail ptloader[18396]: PTS module afskrb not supported
 mail master[18364]: process 18428 exited, status 75
 mail master[18364]: service ptloader pid 18428 in READY state:
terminated abnormally

Please refer me to any instructions on pts_module, if I do need to make changes.

One more question: I am confused about the role of ldap_group_filter
and ldap_group_base. Isn't ldap_member* enough?

Evgeniy