Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails
* on the Tue, Aug 29, 2006 at 08:04:44AM +0100, Brian Candler wrote: JOOI. Is there a reason that this isn't an option in the official codebase? I'd have thought it was a quite useful option... See list archives passim - MrSam has refused this request on several previous occasions. Ah. If this has been discussed many times before, I'll leave it alone after this email. The reason is that creation of an account requires several steps from a provisioning system, and creation of the homedir and/or maildir should be one of those steps. That's the preferable solution yes. I can't imagine that would be the case 100% of the time though. This makes sense when you think about it. Whilst it may be possible to stick a new account in the user database and have the imap server create the maildir on first login, what about when you remove an account? You still need a process to tidy up obsolete accounts and reclaim their storage. If your provisioning system is able to do that, then it could easily create maildirs in the first place. You might have a process detached from the provisioning system that cleans up expired mailboxes on a weekly basis. There are also security considerations. Courier-imap gives up its root privileges as soon as possible after the login has been authenticated, so it would have permission to create a maildir within an existing homedir owned by the correct uid, but not to create the homedir in the first place. (This wouldn't be a problem for appliance setups where all the mailboxes are owned by the same uid, but not everyone wants to work in that way) But for the few that do, they could turn the option on if it existed... Mike - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails
On Tue, Aug 29, 2006 at 09:55:52AM +0100, Mike Cardwell wrote: The reason is that creation of an account requires several steps from a provisioning system, and creation of the homedir and/or maildir should be one of those steps. That's the preferable solution yes. I can't imagine that would be the case 100% of the time though. This makes sense when you think about it. Whilst it may be possible to stick a new account in the user database and have the imap server create the maildir on first login, what about when you remove an account? You still need a process to tidy up obsolete accounts and reclaim their storage. If your provisioning system is able to do that, then it could easily create maildirs in the first place. You might have a process detached from the provisioning system that cleans up expired mailboxes on a weekly basis. There are also security considerations. Courier-imap gives up its root privileges as soon as possible after the login has been authenticated, so it would have permission to create a maildir within an existing homedir owned by the correct uid, but not to create the homedir in the first place. (This wouldn't be a problem for appliance setups where all the mailboxes are owned by the same uid, but not everyone wants to work in that way) But for the few that do, they could turn the option on if it existed... Yep. FWIW, I did run one fairly large system creating messages using welcome E-mails to exim in the same way as you describe. It was successful on the whole, although there were occasional race conditions if the welcome mail arrived at exim before the database info had properly propagated. On the largest system I built, Oracle was the database storage. There was a trigger on insertion or removal of a mailbox, which inserted a row into a 'jobs' table, and there was another process which periodically scanned this jobs table and performed maildir creation or deletion as required. This meant that even if you imported mailboxes manually using direct SQL INSERT operations, you still got the maildirs created on the NetApp. Regards, Brian. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails
On Fri, Aug 25, 2006 at 11:34:43PM +0200, Josselin Dulac (I.U.FM.) wrote: The mailbox seems correctly created on first login (mailboxes directories are well set up). ... Aug 25 23:31:57 localhost authdaemond.ldap: authentication bind successful Aug 25 23:31:57 localhost authdaemond.ldap: authldap: ACCEPT, username j.dulac Aug 25 23:31:57 localhost imapd: authdaemon: ACCEPT, username j.dulac Aug 25 23:31:57 localhost imapd: maildirmake: File exists You are running a hacked version of courier-imap, since courier-imap does not attempt to create directories on login. You could try running the genuine courier-imap code available from http://www.courier-mta.org/download.php If you really want to run someone else's hacked code, then please contact that someone else for support. There's no way we can help you here, since we can't see the source code to what you're running. In any case, you didn't say what version you were running, where you got it from, or what O/S you're running it under. From the log messages, I believe the code you are running is derived from courier-imap 3.x or earlier, which means it's extremely old in any case. Regards, Brian. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails
On Mon, Aug 28, 2006 at 05:55:36PM +0200, Josselin Dulac (I.U.FM.) wrote: Yes, thank you for the information, I was actually just compiling courier from scratch because I want to be sure that my problem is not solved in newer version. I'm using a RPM from Mandrake 10.2 (2005) with courier-imap 3.0.8. OK, I guess they modified it then. You should find you can build the courier-imap RPMs directly from the tarballs on the download page (i.e. they include all the necessary spec file bits). Note that for 4.x, you'll also need to build courier-authlib as this is now a separate package. Regards, Brian. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails
Mike Cardwell writes: * on the Mon, Aug 28, 2006 at 06:33:35PM -0400, Sam Varshavchik wrote: You are running a hacked version of courier-imap, since courier-imap does not attempt to create directories on login. JOOI. Is there a reason that this isn't an option in the official codebase? I'd have thought it was a quite useful option... You'll reconsider your thoughts after some stupid glitch causes your NFS mounts to fail, and then the server begins to create random mailboxes on the local disk, and generally screw up everyone's mail clients. I don't quite understand your logic. It seems to me that you're suggesting the option hasn't been added for anyone to use, simply due to the existance of NFS... That's just one example of the same underlying concept. What about the people not using NFS, ie the majority? What about people doing their jobs and either creating the mailboxes themselves, or setting up a proper account provisioning script, which sets the new account's login id and password, and creates the account's mailbox? It is not the IMAP server's job to create mailboxes which did not exist. If the account's mailbox did not exist it could be because someone simply made a typo somewhere, or some other kind of a mistake. No assumptions whatsoever can be made, other that something is wrong and, in which case, the correct course of action os to report an error. Trying to do a job that's not yours to do, or attempting to second-guess what the right thing to do, will always lead to problems. pgpkHUWxlleTH.pgp Description: PGP signature - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] [Courier+LDAP] Authentication works, but access fails
fr den 25.08.2006 Klokka 23:34 (+0200) skreiv Josselin Dulac (I.U.FM.):
[...]
Apart from the fact that IMHO a Posix 1003 UID should never be multi-
valued and a multi-valued UID will give rise to problems, the following
advice works on our sites for virtual users:
LDAP_SERVER localhost
LDAP_PORT 389
LDAP_PROTOCOL_VERSION 3
LDAP_BASEDN dc=lyon,dc=iufm,dc=fr
LDAP_TIMEOUT5
LDAP_AUTHBIND 1 #My encryption method (SSHA) is only supported
with Bind Authentication (and I find it more secure)
LDAP_MAIL uid
Not good. For virtual users, if you use a schema such as qmail.schema
and objectclass qmailuser, you can use attribute mailmessagestore for
this; point it to the LDAP_GLOB_UID/UID's home directory.
LDAP_DOMAIN
LDAP_GLOB_UID courier #As I use courier uid, it seems that
homeDirectory value is not used : all mailboxes are build in
/home/courier/{$mail}
Ok
LDAP_GLOB_GID courier
LDAP_HOMEDIRhomeDirectory
Point this to the same as LDAP_MAIL, i.e. mailmessagestore.
LDAP_MAILDIR mail #I use the mail attribute to generate
mailboxes names (as uid isMULTI-VALUED in my LDAP base, I cannot use uid
for that)
Point this to the same as LDAP_HOMEDIR.
LDAP_FULLNAME displayName
LDAP_CRYPTPWuserPassword #As I use a Bind authentication
method, this information shouldn't be needed. It's just a rest of my tests.
LDAP_DEREF never
LDAP_TLS0
Ok.
#Here is the part of the configuration that is a bit dark to me
LDAP_EMAILMAP ([EMAIL PROTECTED]@))
LDAP_EMAILMAP_BASEDN dc=lyon,dc=iufm,dc=fr
LDAP_EMAILMAP_ATTRIBUTE uid
LDAP_EMAILMAP_MAIL mail
Do not set any of these.
Here is my syslog file after a login attempt (warning about maildirmake
seems ok as it's not my 1st login attempt and mailboxes has been build
on1st login) -
Aug 25 23:31:57 localhost imapd: Connection, ip=[:::127.0.0.1]
Aug 25 23:31:57 localhost imapd: LOGIN: DEBUG: ip=[:::127.0.0.1],
command=LOGIN
Aug 25 23:31:57 localhost imapd: LOGIN: DEBUG: ip=[:::127.0.0.1],
username=j.dulac
Aug 25 23:31:57 localhost imapd: LOGIN: DEBUG: ip=[:::127.0.0.1],
password=¤¤
Aug 25 23:31:57 localhost imapd: authdaemon: starting client module
Aug 25 23:31:57 localhost authdaemond.ldap: received auth request,
service=imap, authtype=login
Aug 25 23:31:57 localhost authdaemond.ldap: authldap: trying this module
Aug 25 23:31:57 localhost authdaemond.ldap: using search filter:
(uid=j.dulac)
Aug 25 23:31:57 localhost authdaemond.ldap: one entry returned, DN:
uid=PR08766,ou=People,dc=lyon,dc=iufm,dc=fr
Aug 25 23:31:57 localhost authdaemond.ldap: raw ldap entry returned:
Aug 25 23:31:57 localhost authdaemond.ldap: | displayName: Josselin DULAC
Aug 25 23:31:57 localhost authdaemond.ldap: | mail:
[EMAIL PROTECTED]
Aug 25 23:31:57 localhost authdaemond.ldap: | uid: PR08766
Aug 25 23:31:57 localhost authdaemond.ldap: | uid: j.dulac
Aug 25 23:31:57 localhost authdaemond.ldap: | uid: Josselin
Aug 25 23:31:57 localhost authdaemond.ldap: | homeDirectory: /home/PR08766/
As stated, for virtual UID/GIDs, Courier IMAP expects LDAP_HOMEDIR to be
the same as LDAP_MAILDIR and writes its configuration files to this.
Aug 25 23:31:57 localhost authdaemond.ldap: authldaplib:
sysusername=j.dulac, sysuserid=500, sysgroupid=500,
homedir=/home/PR08766/, address=j.dulac, fullname=Josselin DULAC,
[EMAIL PROTECTED], quota=null, options=null
Aug 25 23:31:57 localhost authdaemond.ldap: authldaplib:
clearpasswd=null, passwd=null
Aug 25 23:31:57 localhost authdaemond.ldap: rebinding with DN
'uid=PR08766,ou=People,dc=lyon,dc=iufm,dc=fr' to validate password
Aug 25 23:31:57 localhost authdaemond.ldap: authentication bind successful
Aug 25 23:31:57 localhost authdaemond.ldap: authldap: ACCEPT, username
j.dulac
Aug 25 23:31:57 localhost imapd: authdaemon: ACCEPT, username j.dulac
Aug 25 23:31:57 localhost imapd: maildirmake: File exists
It probably does, yes. Test as root with Courier authdaemon's authtest -
it will point to your maildir, using both Home Directory and Maildir
attributes.
--Tonni
--
Tony Earnshaw
reservebergenser :)
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
