Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails

Tony Earnshaw Sat, 26 Aug 2006 02:14:16 -0700

fr den 25.08.2006 Klokka 23:34 (+0200) skreiv Josselin Dulac (I.U.FM.):

[...]


Apart from the fact that IMHO a Posix 1003 UID should never be multi-
valued and a multi-valued UID will give rise to problems, the following
advice works on our sites for virtual users:

> LDAP_SERVER             localhost
> LDAP_PORT               389
> LDAP_PROTOCOL_VERSION   3
> LDAP_BASEDN             dc=lyon,dc=iufm,dc=fr
> LDAP_TIMEOUT            5
> LDAP_AUTHBIND           1 #My encryption method (SSHA) is only supported 
> with Bind Authentication (and I find it more secure)
> LDAP_MAIL               uid

Not good. For virtual users, if you use a schema such as qmail.schema
and objectclass qmailuser, you can use attribute mailmessagestore for
this; point it to the LDAP_GLOB_UID/UID's home directory.

> LDAP_DOMAIN
> LDAP_GLOB_UID           courier #As I use courier uid, it seems that 
> homeDirectory value is not used : all mailboxes are build in 
> /home/courier/{$mail}

Ok

> LDAP_GLOB_GID           courier
> LDAP_HOMEDIR            homeDirectory

Point this to the same as LDAP_MAIL, i.e. mailmessagestore.

> LDAP_MAILDIR           mail #I use the mail attribute to generate 
> mailboxes names (as uid isMULTI-VALUED in my LDAP base, I cannot use uid 
> for that)

Point this to the same as LDAP_HOMEDIR.

> LDAP_FULLNAME           displayName
> LDAP_CRYPTPW            userPassword #As I use a Bind authentication 
> method, this information shouldn't be needed. It's just a rest of my tests.
> LDAP_DEREF              never
> LDAP_TLS                0

Ok.
                
> #Here is the part of the configuration that is a bit dark to me
> LDAP_EMAILMAP          ([EMAIL PROTECTED]@))
> LDAP_EMAILMAP_BASEDN   dc=lyon,dc=iufm,dc=fr
> LDAP_EMAILMAP_ATTRIBUTE uid
> LDAP_EMAILMAP_MAIL mail

Do not set any of these.

> Here is my syslog file after a login attempt (warning about maildirmake 
> seems ok as it's not my 1st login attempt and mailboxes has been build 
> on1st login) -----------------------------------------------------
> Aug 25 23:31:57 localhost imapd: Connection, ip=[::ffff:127.0.0.1]
> Aug 25 23:31:57 localhost imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], 
> command=LOGIN
> Aug 25 23:31:57 localhost imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], 
> username=j.dulac
> Aug 25 23:31:57 localhost imapd: LOGIN: DEBUG: ip=[::ffff:127.0.0.1], 
> password=¤¤¤¤¤¤
> Aug 25 23:31:57 localhost imapd: authdaemon: starting client module
> Aug 25 23:31:57 localhost authdaemond.ldap: received auth request, 
> service=imap, authtype=login
> Aug 25 23:31:57 localhost authdaemond.ldap: authldap: trying this module
> Aug 25 23:31:57 localhost authdaemond.ldap: using search filter: 
> (uid=j.dulac)
> Aug 25 23:31:57 localhost authdaemond.ldap: one entry returned, DN: 
> uid=PR08766,ou=People,dc=lyon,dc=iufm,dc=fr
> Aug 25 23:31:57 localhost authdaemond.ldap: raw ldap entry returned:
> Aug 25 23:31:57 localhost authdaemond.ldap: | displayName: Josselin DULAC
> Aug 25 23:31:57 localhost authdaemond.ldap: | mail: 
> [EMAIL PROTECTED]
> Aug 25 23:31:57 localhost authdaemond.ldap: | uid: PR08766
> Aug 25 23:31:57 localhost authdaemond.ldap: | uid: j.dulac
> Aug 25 23:31:57 localhost authdaemond.ldap: | uid: Josselin
> Aug 25 23:31:57 localhost authdaemond.ldap: | homeDirectory: /home/PR08766/

As stated, for virtual UID/GIDs, Courier IMAP expects LDAP_HOMEDIR to be
the same as LDAP_MAILDIR and writes its configuration files to this.

> Aug 25 23:31:57 localhost authdaemond.ldap: authldaplib: 
> sysusername=j.dulac, sysuserid=500, sysgroupid=500, 
> homedir=/home/PR08766/, address=j.dulac, fullname=Josselin DULAC, 
> [EMAIL PROTECTED], quota=<null>, options=<null>
> Aug 25 23:31:57 localhost authdaemond.ldap: authldaplib: 
> clearpasswd=<null>, passwd=<null>
> Aug 25 23:31:57 localhost authdaemond.ldap: rebinding with DN 
> 'uid=PR08766,ou=People,dc=lyon,dc=iufm,dc=fr' to validate password
> Aug 25 23:31:57 localhost authdaemond.ldap: authentication bind successful
> Aug 25 23:31:57 localhost authdaemond.ldap: authldap: ACCEPT, username 
> j.dulac
> Aug 25 23:31:57 localhost imapd: authdaemon: ACCEPT, username j.dulac
> Aug 25 23:31:57 localhost imapd: maildirmake: File exists

It probably does, yes. Test as root with Courier authdaemon's authtest -
it will point to your maildir, using both Home Directory and Maildir
attributes.

--Tonni

-- 
Tony Earnshaw
reservebergenser :)


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails

Reply via email to