[courier-users] OpenLDAP with Courier IMAP won't Authenticate

Thu, 20 Nov 2003 05:10:38 -0800 

HELP!!!
I've been trying for days to get Courier IMAP working with OpenLDAP for
almost a week now:
---------------------------------------------------------------
Below is my slapd.conf:
---------------------------------------------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/imap.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

# TLS
TLSCipherSuite  HIGH:MEDIUM:SSLv2
TLSCertificateFile  /usr/local/etc/ssl.crt/slapd-cert.pem
TLSCertificateKeyFile /usr/local/etc/ssl.key/slapd-key.pem
TLSCACertificateFile /usr/local/etc/ssl.crt/slapd-cert.pem
TLSRandFile /dev/urandom

allow   bind_v2
# access to attr=userPassword
# Made this as permissive as I thought I could
access to *
          by self write
          by anonymous read
          by dn.base="cn=Manager,dc=kbearstudios,dc=com" write
          by * none
database        bdb
suffix          "dc=kbearstudios,dc=com"
rootdn          "cn=Manager,dc=kbearstudios,dc=com"
rootpw          {SSHA}0PsiatQEiHOEllgqiwsMjcrPDW1s9KXA
directory       /usr/local/var/openldap-data
index   uid             pres,eq
index   email           pres,eq,approx,sub
index   cn,sn           pres,eq,approx,sub
index   objectClass     eq

---------------------------------------------------------------
The schema I'm using:
---------------------------------------------------------------

attributetype ( 2.16.840.1.113730.3.1.1
        NAME 'homeDirectory'
        DESC 'User home directory email server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 2.16.840.1.113730.3.1.2
        NAME 'uidNumber'
        DESC 'identifies user ID to run-as'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 2.16.840.1.113730.3.1.241
        NAME 'gidNumber'
        DESC 'identifies group id to run-as'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

objectclass     ( 2.16.840.1.113730.3.2.2
    NAME 'CourierMailAccount'
    DESC 'Additional Fields Needed to Support CourierMail'
    SUP person
    STRUCTURAL
        MAY ( homeDirectory $ uidNumber $ gidNumber $ mail )
)

---------------------------------------------------------------
This is my authldap (comments stripped for brevity):
---------------------------------------------------------------

LDAP_SERVER             localhost
LDAP_PORT               389
LDAP_BASEDN             ou=users, dc=kbearstudios, dc=com

##NAME: LDAP_BINDDN:0
# This didn't seem to make a difference
# LDAP_BINDDN           cn=Manager, dc=kbearstudios, dc=com
# LDAP_BINDPW           <my cleartext password>

LDAP_TIMEOUT            5
LDAP_AUTHBIND           1
LDAP_MAIL               mail
LDAP_FILTER           (objectClass=CourierMailAccount)
LDAP_DOMAIN             kbearstudios.no-ip.biz
LDAP_HOMEDIR            homeDirectory
LDAP_MAILROOT        /var/MailRoot
LDAP_FULLNAME           sn
# LDAP_CLEARPW          clearPassword
LDAP_CRYPTPW            userPassword
LDAP_UID                uidNumber
LDAP_GID                gidNumber
LDAP_DEREF              never
LDAP_TLS                0

---------------------------------------------------------------
This is my authdaemonrc:
---------------------------------------------------------------

authmodulelist="authldap"
authmodulelistorig="authcustom authcram authuserdb authldap authpam"
daemons=5
version="authdaemond.ldap"
authdaemonvar=/usr/lib/courier-imap/var/authdaemon

---------------------------------------------------------------
The entry I'm trying to authenticate:
---------------------------------------------------------------

cn=sandra,ou=users,dc=kbearstudios,dc=com
[EMAIL PROTECTED]
cn=sandra
uidNumber=0
gidNumber=0
objectClass=top
objectClass=person
objectClass=CourierMailAccount
homeDirectory=/kbearstudios.no-ip.biz/sandra
sn=Sandra McTiernan
userPassword=<SSHA encrypted>

---------------------------------------------------------------
My slapd.server start:
---------------------------------------------------------------
/usr/local/libexec/slapd -d 255 -h "ldaps://0.0.0.0 ldap://127.0.0.1";

---------------------------------------------------------------
My debug results when I try to authenticate (greatly pruned to 
get under the 40MB limit on this list):
---------------------------------------------------------------
entry_decode: "cn=sandra,ou=users,dc=kbearstudios,dc=com"
<= entry_decode(cn=sandra,ou=users,dc=kbearstudios,dc=com)
=> test_filter
    AND
=> test_filter_and
=> test_filter
    EQUALITY
=> access_allowed: search access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr:
objectClass
=> acl_mask: access to entry
"cn=sandra,ou=users,dc=kbearstudios,dc=com", attr 

"objectClass" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying read(=rscx) (stop)
<= acl_mask: [2] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
is_object_subclass(2.16.840.1.113730.3.2.2,2.5.6.0) 0
is_object_subclass(2.16.840.1.113730.3.2.2,2.5.6.6) 0
is_object_subclass(2.16.840.1.113730.3.2.2,2.5.6.0) 0
is_object_subclass(2.16.840.1.113730.3.2.2,2.16.840.1.113730.3.2.2) 1
<= test_filter 6
.
.
.
=> access_allowed: read access granted by read(=rscx)
=> access_allowed: read access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"uidNumber" requested
=> acl_get: [1] check attr uidNumber
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr:
uidNumber
access_allowed: result from state (uidNumber)
=> access_allowed: read access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"gidNumber" requested
=> acl_get: [1] check attr gidNumber
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr:
gidNumber
access_allowed: result from state (gidNumber)
=> access_allowed: read access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr: 

homeDirectory
access_allowed: result from state (homeDirectory)
=> access_allowed: read access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"mail" requested
=> acl_get: [1] check attr mail
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr: mail
access_allowed: result from state (mail)
=> access_allowed: read access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr: 

userPassword
access_allowed: result from state (userPassword)
.
.
.
ber_flush: 263 bytes to sd 12
  0000:  30 82 01 03 02 01 02 64  81 fd 04 29 63 6e 3d 73
0......d...)cn=s
  0010:  61 6e 64 72 61 2c 6f 75  3d 75 73 65 72 73 2c 64
andra,ou=users,d
  .
  .
  .
  00e0:  72 64 31 23 04 21 7b 53  48 41 7d 73 31 55 68 74
rd1#.!{SHA}s1Uht
  00f0:  39 59 78 78 68 71 57 56  33 62 73 63 37 53 54 4a
9YxxhqWV3bsc7STJ
  0100:  2b 45 4a 31 67 77 3d                               +EJ1gw=
ber_dump: buf=0x0028e038 ptr=0x0028e03b end=0x0028e07a len=63
  0000:  60 3d 02 01 02 04 29 63  6e 3d 73 61 6e 64 72 61
`=....)cn=sandra
  0010:  2c 6f 75 3d 75 73 65 72  73 2c 64 63 3d 6b 62 65
,ou=users,dc=kbe
  0020:  61 72 73 74 75 64 69 6f  73 2c 64 63 3d 63 6f 6d
arstudios,dc=com
  0030:  80 0d 66 6c 75 66 66 79  73 65 61 67 75 6c 6c
..<clear-text-pwd>
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
ber_scanf fmt (m}) ber:
ber_dump: buf=0x0028e038 ptr=0x0028e06b end=0x0028e07a len=15
  0000:  00 0d 66 6c 75 66 66 79  73 65 61 67 75 6c 6c
..<clear-text-pwd>
>>> dnPrettyNormal: <cn=sandra,ou=users,dc=kbearstudios,dc=com>
=> ldap_bv2dn(cn=sandra,ou=users,dc=kbearstudios,dc=com,0)
<= ldap_bv2dn(cn=sandra,ou=users,dc=kbearstudios,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=sandra,ou=users,dc=kbearstudios,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=sandra,ou=users,dc=kbearstudios,dc=com,272)=0
<<< dnPrettyNormal: <cn=sandra,ou=users,dc=kbearstudios,dc=com>, 

<cn=sandra,ou=users,dc=kbearstudios,dc=com>
do_bind: version=2 dn="cn=sandra,ou=users,dc=kbearstudios,dc=com"
method=128
==> bdb_bind: dn: cn=sandra,ou=users,dc=kbearstudios,dc=com
bdb_dn2entry_rw("cn=sandra,ou=users,dc=kbearstudios,dc=com")
=> bdb_dn2id_matched( "cn=sandra,ou=users,dc=kbearstudios,dc=com" )
====>
bdb_cache_find_entry_dn2id("cn=sandra,ou=users,dc=kbearstudios,dc=com"):


14 (1 tries)
====> bdb_cache_find_entry_id( 14 )
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

(found) (1 tries)
=> access_allowed: auth access to
"cn=sandra,ou=users,dc=kbearstudios,dc=com" 

"userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl cn=sandra,ou=users,dc=kbearstudios,dc=com attr: 

userPassword
=> acl_mask: access to entry
"cn=sandra,ou=users,dc=kbearstudios,dc=com", attr 

"userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying read(=rscx) (stop)
<= acl_mask: [2] mask: read(=rscx)
=> access_allowed: auth access granted by read(=rscx)
====> bdb_cache_return_entry_r( 14 ): returned (0)
do_bind: v2 bind: "cn=sandra,ou=users,dc=kbearstudios,dc=com" to 

"cn=sandra,ou=users,dc=kbearstudios,dc=com"
send_ldap_result: conn=1 op=0 p=2
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0....a........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0....a........
daemon: activity on 1 descriptors
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=1
connection_read(14): checking for input on id=1
ber_get_next
ldap_read: want=8, got=7
  0000:  30 05 02 01 02 42 00                               0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x0028dc30 ptr=0x0028dc30 end=0x0028dc35 len=5
  0000:  02 01 02 42 00                                     ...B.
ber_get_next
do_unbind
ldap_read: want=8, got=0

ber_get_next on fd 14 failed errno=0 (Error 0)
connection_read(14): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=14 for close
connection_close: deferring conn=1 sd=14
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
connection_resched: attempting closing conn=1 sd=14
connection_close: conn=1 sd=14
daemon: activity on 1 descriptors
daemon: removing 14
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL


I'm logging in as sandra with <password>.  I have no trouble logging in
as this user with an LDAP browser (both from localhost:389 and remotely
to ldaps).  I'm guessing maybe it's not encrypting the cleartext
password in the same way (SSHA)?  Any help at all would be greatly
appreciated!!!

Thank you,
Kelly McTiernan
[EMAIL PROTECTED]
  



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to