I'm having trouble getting Cyrus-IMAP to authenticate against an OpenLDAP
server using PAM modules. I seem to be able to get Cyrus/SASL to work with
PAM when it's authenticating against /etc/passwd, but as soon as I point it
at LDAP it refuses to work.
Of course, it's hard to know where to post for help when you have so many
pieces working together. Since I think I limited it down to the PAM -> LDAP
connection, I sent a large "help me!" message to the padl.com mailing list
for nss_ldap/pam_ldap modules. But I believe a number of people on this
list have my intended configuration up and running, so I'm going to re-post
my "help me!" message below in hope that someone from this list can shed
some light on my troubles. If you don't know what I'm talking about, then
just delete me and move along :^)
--Josh
[Below is full description of problem, along with logs]
-------------------------------------------------------
I'm working on getting a new installation of the Cyrus IMAP server (2.0.9)
authenticating against an OpenLDAP (2.0.7) server. As expected, SASL
(1.5.24), PAM (0.74) and the nss_ldap/pam_ldap modules sit inbetween these
two.
I believe I've chased the problem down to something between PAM and LDAP....
Cyrus works just fine through SASL and PAM when PAM is pointed to my
/etc/passwd file. But as soon as I tell PAM to reference LDAP, it starts
choking...
I understand the need for plain/cleartext passwords throughout the system,
and believe I have everything compiled and set up to talk that way as
evidenced by the working Cyrus->SASL->PAM->/etc/passwd route.
But as soon as I change my /etc/pam.d/imap file to look like the following:
-----
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
-----
My Cyrus 'imtest -m login -u jpenix -a jpenix localhost' session goes like
this:
-----
C: C01 CAPABILITY
S: * OK celery.projectdesign.com Cyrus IMAP4 v2.0.9 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN jpenix {8}
+ go ahead
C: <omitted>
failure: prot layer failure
-----
The /var/log/ldap.log from the above session:
-----
Feb 26 02:04:29 celery slapd[29687]: daemon: conn=22 fd=18 connection from
IP=127.0.0.1:33082 (IP=0.0.0.0:389) accepted.
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=0 BIND dn="" method=128
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=0 RESULT tag=97 err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=1 SRCH
base="dc=projectdesign,dc=com" scope=2 filter="(uid=jpenix)"
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=1 SEARCH RESULT tag=101
err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=2 BIND dn="CN=JOSHUA
PENIX,DC=PROJECTDESIGN,DC=COM" method=128
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=2 RESULT tag=97 err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=3 BIND dn="" method=128
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=3 RESULT tag=97 err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=4 UNBIND
Feb 26 02:04:29 celery slapd[29687]: conn=-1 fd=18 closed
-----
And *no* mention of it in /var/log/messages where I'd expect to see PAM
messages, and *no* mention of it in /var/log/imapd.log where I'd expect to
see Cyrus complaining.
Interestingly, the above only happens when I type the password CORRECTLY.
Here's an 'imtest -m login -u jpenix -a jpenix localhost' where I purposely
type the password incorrectly:
-----
C: C01 CAPABILITY
S: * OK celery.projectdesign.com Cyrus IMAP4 v2.0.9 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN jpenix {4}
+ go ahead
C: <omitted>
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
-----
And here's the /var/log/ldap.log from the session with incorrect password:
-----
Feb 26 02:07:47 celery slapd[29687]: daemon: conn=23 fd=18 connection from
IP=127.0.0.1:33084 (IP=0.0.0.0:389) accepted.
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=0 BIND dn="" method=128
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=0 RESULT tag=97 err=0 text=
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=1 SRCH
base="dc=projectdesign,dc=com" scope=2 filter="(uid=jpenix)"
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=1 SEARCH RESULT tag=101
err=0 text=
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=2 BIND dn="CN=JOSHUA
PENIX,DC=PROJECTDESIGN,DC=COM" method=128
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=2 RESULT tag=97 err=49 text=
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=3 BIND dn="" method=128
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=3 RESULT tag=97 err=0 text=
Feb 26 02:07:57 celery slapd[29687]: conn=-1 fd=18 closed
-----
And now we also get a mention in /var/log/messages:
-----
Feb 26 02:07:47 celery imapd[29810]: pam_ldap: error trying to bind as user
"cn=Joshua Penix, dc=projectdesign,dc=com" (Invalid credentials)
Feb 26 02:07:47 celery imap(pam_unix)[29810]: authentication failure;
logname= uid=76 euid=76 tty= ruser= rhost= user=jpenix
-----
So it's *GOT* to be checking *SOMETHING* against my LDAP password or else
the sessions wouldn't differ based on what I type. Perhaps I'm barking up
the wrong tree? Maybe the problem occurs after everything is authenticated?
The "failure: prot layer failure" message isn't very descriptive and I can't
seem to get any more debugging info out of PAM or SASL... any suggestions on
where to kick up some logging/error message levels would be great.
Further information that might be useful:
The password is stored in LDAP using the 'userPassword' attribute, and is
formatted like '{crypt}hashedstuffhere'.
My /etc/ldap.conf:
-----
host 127.0.0.1
base dc=projectdesign,dc=com
pam_password crypt
ssl no
-----
My /etc/openldap/ldap.conf (not sure what purpose this file serves vs.
/etc/ldap.conf):
-----
HOST 127.0.0.1
BASE dc=projectdesign,dc=com
-----
My /etc/imapd.conf:
-----
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus mailadmin
allowanonymouslogin: no
sasl_pwcheck_method: pam
-----
And that's it! I can't think of anything else... there must be something
obvious I'm missing. Would appreciate if someone would take a look at the
above and tell me where I'm going wrong. Or if anyone who has it working
wants to post their configs, that'd be great... or at least let me know
where I should be looking and how to get better debug logs out of the
PAM/LDAP modules.
Thanks much!!! I promise to write up a howto once this is working...
--Josh
