Okay Iustin, I think I may need a little help. Looking at my authldaprc
(pasted below), is the final section dealing with the controlhandle
attribute the method you are referring to? If so, would I have to create a
schema (ex. misc.schema) to add the controlhandle attribute, and reference
it to the qmailuser objectclass? Or am I way off base?
Also, in the qmail/courier install instructions from DS's Qmail Handbook,
there is no reference to adding authdaemond to the startup files. I added
authdaemond and imapd to the qmail startup script. Is this the correct
procedure?
Any help is definitely appreciated.
Thanks -- John
AUTHLDAPRC:
##VERSION: $Id: authldaprc,v 1.13 2002/03/27 03:51:25 mrsam Exp $
#
# Copyright 2000-2001 Double Precision, Inc. See COPYING for
# distribution information.
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# authldaprc created from authldaprc.dist by sysconftool
#
# DO NOT INSTALL THIS FILE with world read permissions. This file
# might contain the LDAP admin password!
#
# This configuration file specifies LDAP authentication parameters
#
# The format of this file must be as follows:
#
# field[spaces|tabs]value
#
# That is, the name of the field, followed by spaces or tabs, followed by
# field value. No trailing spaces.
#
# Here are the fields:
##NAME: LOCATION:0
#
# Location of your LDAP server:
LDAP_SERVER animal.test.com
LDAP_PORT 389
##NAME: LDAP_BASEDN:0
#
# Look for authentication here:
LDAP_BASEDN dc=test,dc=com
##NAME: LDAP_BINDDN:0
#
# You may or may not need to specify the following. Because you've got
# a password here, authldaprc should not be world-readable!!!
LDAP_BINDDN uid=courier,ou=MailSystem,dc=test,dc=com
LDAP_BINDPW password
# LDAP_BINDPW {KERBEROS}[EMAIL PROTECTED]
##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search
LDAP_TIMEOUT 5
##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords. If
LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and
password.
# If rebind succeeds, this is considered to be an authenticated request.
This
# does not support CRAM-MD5 authentication, which requires userPassword.
#
# WARNING - as of the time this note is written, there are memory leaks in
# OpenLDAP that affect this option, see ITS #1116 in openldap.org's bug
# tracker. Avoid using this option until these leaks are plugged.
#
# LDAP_AUTHBIND 1
##NAME: LDAP_MAIL:0
#
# Here's the field on which we query
LDAP_MAIL mail
##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly
specified.
#
LDAP_DOMAIN test.com
##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and gid.
# This is convenient if your LDAP specifies a bunch of virtual mail accounts
# The values can be usernames or userids:
#
LDAP_GLOB_UID vmail
LDAP_GLOB_GID vmail
##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
LDAP_HOMEDIR mailMessageStore
##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory. If not specified, ./Maildir will be used
LDAP_MAILDIR mailMessageStore
##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
# LDAP_MAILDIRQUOTA maildirQuota
##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name
LDAP_FULLNAME cn
##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password. CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
# libhmac.a is available, CRAM authentication will be possible!
# LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword
##NAME: LDAP_IDS:0
#
# Uncomment the following, and modify as appropriate, if your LDAP database
# stores individual userids and groupids. Otherwise, you must uncomment
# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
# be defined as attributes for everyone.
#
# LDAP_UID uidNumber
# LDAP_GID gidNumber
##NAME: LDAP_DEREF:0
#
# Determines how aliases are handled during a search. This option is
available
# only with OpenLDAP 2.0
#
# LDAP_DEREF can be one of the following values:
# never, searching, finding, always. If not specified, aliases are
# never dereferenced.
LDAP_DEREF never
##NAME: LDAP_TLS:0
#
# Set LDAP_TLS to 1 to enable LDAP over SSL/TLS. Experimental setting.
# Requires OpenLDAP 2.0
#
# LDAP_TLS 0
##NAME: LDAP_EMAILMAP:0
#
# The following optional settings, if enabled, result in an extra LDAP
# lookup to first locate a handle for an E-mail address, then a second
lookup
# on that handle to get the actual authentication record. You'll need
# to uncomment these settings to enable an email handle lookup.
#
# The E-mail address must be of the form user@realm, and this is plugged
# into the following search string. "@user@" and "@realm@" are placeholders
# for the user and the realm portions of the login ID.
#
# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@))
##NAME: LDAP_EMAILMAP_BASEDN:0
#
# Specify the basedn for the email lookup. The default is LDAP_BASEDN.
#
# LDAP_EMAILMAP_BASEDN o=emailmap, c=com
##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
#
# The attribute which holds the handle. The contents of this attribute
# are then plugged into the regular authentication lookup, and you must set
# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
# records (which may be the same as LDAP_MAIL).
# You MUST also leave LDAP_DOMAIN undefined. This enables authenticating
# by handles only.
#
# Here's an example:
#
# dn: userid=john, realm=example.com, o=emailmap, c=com #
LDAP_EMAILMAP_BASEDN
# userid: john # LDAP_EMAILMAP search
# realm: example.com # LDAP_EMAILMAP search
# handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE
#
#
# dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN
# controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to
"controlHandle"
# uid: ...
# gid: ...
# [ etc... ]
#
# LDAP_EMAILMAP_ATTRIBUTE handle
##NAME: LDAP_EMAILMAP_MAIL:0
#
# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
#
# LDAP_EMAILMAP_MAIL mail
> -----Original Message-----
> From: Iustin Pop [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 01, 2002 11:53 AM
> To: John Green
> Cc: Courier-Users (E-mail)
> Subject: RE: [courier-users] IMAP: LDAP authentication
>
>
> Hello there. From what I can see, you didn't correctly configure the
> authldaprc. You must keep in mind there are two methods of
> authenticating against LDAP:
> 1. Courier (or other app) retrieves clear text pwd, and
> checks it
> matches (cannot be used with LDAP+Kerberos)
> 2. Courier (or other app) tries to bind with the clear
> text pwd to the
> LDAP server, which will itself check the pwd, by a method depending on
> how it was configured.
>
> My guess is that you use method nr.1 (courier comes
> out-of-the-box with
> that), and you need to change to 2. Read the authldaprc comments some
> more, and if you cannot manage, I'll try to explain some more.
>
> Regards,
> Iustin Pop
>
> On Wed, 2002-05-01 at 21:13, John Green wrote:
> > Thanks Aly, that's good advice, but I would prefer to keep the
> > authentication funnel running through LDAP to Kerberos,
> mainly as the LDAP
> > directory will eventually also be responsible for
> authentication for other
> > daemons (Samba, etc). I'm trying to keep it simple (by
> making it more
> > complicated?). But that is a good last resort or temporary
> fix till I can
> > figure out a way. I have a sales dept who really wants
> shared calendaring
> > NOW. Ouch.
> >
> > > -----Original Message-----
> > > From: Aly Dharshi [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, May 01, 2002 10:13 AM
> > > To: John Green
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: [courier-users] IMAP: LDAP authentication
> > >
> > >
> > > Hi There,
> > >
> > > I hope that you are well, wouldn't it be simpler to use
> > > the Kerb PAM
> > > modules instead of LDAP to Kerb as Kerb is your
> > > authentication system anyhow
> > > ?
> > >
> > > If you are on a RH 7.2 box there are PAM libs for krb5 so
> > > you could use
> > > that via PAM authentication to authenticate right ? Unless
> > > you have a very
> > > particular setup.
> > >
> > > Cheers,
> > >
> > > Aly.
> > >
> > >
> > > ------------------
> > > Aly Dharshi
> > > System Administrator ORS
> > > aly.dharshi at uleth.ca
> > > aly.dharshi at cs.uleth.ca
> > >
> > > Got *nix ? *nix the better alternative to Winblows
> > >
> > >
> > > ----- Original Message -----
> > > From: "John Green" <[EMAIL PROTECTED]>
> > > To: "Courier-Users (E-mail)" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, May 01, 2002 10:35 AM
> > > Subject: [courier-users] IMAP: LDAP authentication
> > >
> > >
> > > > I'm having some difficulty getting Courier-IMAP to run with
> > > Qmail/LDAP. I
> > > am
> > > > trying to authenticate to an LDAP directory, which
> > > authenticates passwords
> > > > from a Kerberos V5 server. I have installed
> Courier-IMAP, and it is
> > > > running, listening on port 143, etc, but when I try to log
> > > in via an IMAP
> > > > client my logins fail. I tried running a telnet
> session to port 143
> > > locally
> > > > and using "a1 login username password", and the login
> failed. I can
> > > browse
> > > > the LDAP tree with the courier uid I set up, and it
> reflects all the
> > > access
> > > > I have given that uid. Qmail was authenticating fine to
> > > LDAP before I
> > > > installed Courier, and I can still send mail from an
> IMAP client.
> > > > The main sources of info I have are Dave Sill's Qmail
> handbook, this
> > > > website:
> > http://www.cerritoslug.org/tutorials/qmail-ldap/installing.html
> > and
> > > the courier home page.
> > >
> > > Can anyone direct me to a "known good" source of info?
> I've tried the man
> > > pages, and Google searches, and have come up with some
> info, but I can't
> > > verify that they are correct. As with the examples I
> mentioned, there are
> > > similarities, but differences, and none have worked for me.
> > >
> > > Also, is there any "quick test" that would shed more
> light on what is
> > going
> > > wrong?
> > >
> > > I know this is a "newbie-ish" post, but I am in a tight
> situation with
> > > getting a mail system to work. I've gotten
> Sendmail/Cyrus-IMAP running,
> > but
> > > from what I have read the Qmail/Courier-IMAP combo is
> superior software,
> > and
> > > I'd like to give it a shot. Any help would be appreciated.
> > >
> > >
> > >
> >
> >
>
>
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
