LDAP auth and ptloader

Sven Schwedas sven.schwedas at tao.at
Wed Jun 12 10:20:39 EDT 2019 

Sorry for the delay, I was busy with other projects. :/

On 26.04.19 10:03, ellie timoney wrote:
> Hi Sven,
> 
> I don't know much about running it in a production capacity, but our
> test suite sets up the following for LDAP pts:
> 
> imapd.conf:
>    ...
>    ptloader_sock: /path/to/some/socket
>    auth_mech: pts
>    pts_module: ldap
>    ...
> 
> cyrus.conf:
>    SERVICES {
>       ...
>       ptloader cmd="ptloader" listen="/path/to/some/socket"
>       ...   
>    }
> 
> Does this get you going?

It starts now, and according to the log, ptloader is initialized, but it
doesn't find any LDAP groups, and I can't really figure out why – it
just silently fails to find any groups (so users can't access shared
folders), with no indication in the logs as to why, even with
debug/chatty both enabled.

Groups *do* work with pts disabled and libpam-winbind resolving them as
native groups, so they *should* be set up correctly, I think.

Relevant settings:

> # These make no difference
> #debug: 1
> #chatty: 1
> 
> # Same as in sample, path correct
> #auth_mech: pts
> pts_module: ldap
> ptloader_sock: /var/run/cyrus/socket/pts
> 
> # Work, verified with s_client
> ldap_uri:         ldaps://graz-dc-sem.ad.tao.at/
> ldap_ca_file:     /usr/local/share/ca-certificates/tao-ad-ca.crt
> ldap_verify_peer: yes
> 
> ldap_version: 3
> ldap_sasl: 0
> ldap_bind_dn:  CN=some_user,CN=Users,DC=ad,DC=tao,DC=at
> ldap_password: some_password
> # Seems to work up to here, wrong password results in a ptloader error
> # message. Correct password results in no output?
> 
> ldap_base:        CN=Users,DC=ad,DC=tao,DC=at
> ldap_group_base:  CN=Users,DC=ad,DC=tao,DC=at
> ldap_member_base: CN=Users,DC=ad,DC=tao,DC=at
> 
> # These SHOULD work, and do work with ldapsearch, but silently fail?
> ldap_group_filter: (&(|(cn=%u)(sAMAccountName=%u))(objectClass=group))
> ldap_member_attribute: memberUid
> ldap_user_attribute: uid
> ldap_filter: (uid=%u)

Is there another way to get ptloader to spit out debug information and
pinpoint what's not set up correctly?

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20190612/d2e417d1/attachment.sig>

More information about the Info-cyrus mailing list