Date: Wed, 28 Aug 2002 23:38:27 -0500 From: "Scot W. Hetzel" <hetzels@westbend.net> To: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> Cc: <ports@FreeBSD.ORG> Subject: Re: cyrus / sasl / ldap woes Message-ID: <018601c24f15$ec5360f0$12fd2fd8@Admin01> References: <3D611B4F.2050605@georgiacenter.org> <009b01c247a9$040189d0$11fd2fd8@ADMIN00> <3D614E58.70409@georgiacenter.org>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> on 08/19/2002
> > From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> on
08/19/2002
> >
> >>freshly installed -STABLE with freshly installed ports:
> >>
> >>cyrus-imapd-2.0.16_3
> >>cyrus-sasl-1.5.27_6
> >>db3-3.2.9_3,1
> >>makedepend-2000.12.28
> >>openldap-2.0.25
> >>
> >>
> >>anyone else using the combo of ports? any success with the current revs?
> >>
> Ok...took the new/broken box and removed cyrus-imapd-2.0.16_3 and
> cyrus-sasl-1.5.27_6. pkg_tarup'ed older versions from working/production
> server. Force pkg_added them (to use new openldap-2.0.25 libs -- so,
> problem is not related to ldap rev). SASL is again talking to LDAP.
> So...when things got broken? Not sure. But it's (sasl and/or cyrus-imap)
> certainly currently broken.
>
> And now back to the real problem...Hopefully getting cyrus/sasl to auth
> against AD as opposed to openldap.
>
I finally had a chance to fully test all 3 LDAP pwcheck_methods (saslauthd,
pwcheck (pwcheck_pam), ldap) available for the cyrus-sasl port. Using the
following ports:
cyrus-imapd-2.0.16_3
cyrus-sasl-1.5.27_6
db3-3.2.9_3,1
makedepend-2000.12.28
openldap-2.0.25
pam_ldap-1.5.0
The only trouble I had was setting up the pam_ldap module to be used with
the saslauthd and pwcheck_pam daemons. As the pkg-message for the pam_ldap
port specifies to only add an "auth" line to the appropriate pam files.
With existing users (password was changed so that /etc/master.passwd != LDAP
password), using either the /etc/master.passwd or LDAP password I could
login. But it wouldn't work with a user only in LDAP. When I added the
"account" entry for pam_ldap.so, the LDAP only user was able to log into
both imap and pop servers.
I have updated the cyrus-sasl port to install an example pam service file
(see ${EXAMPLESDIR}/cyrus.pam).
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/42153
I had no problem with cyrus-imapd when configuring imapd.conf with:
sasl_pwcheck_method: ldap
sasl_ldap_server: localhost
sasl_ldap_basedn: dc=westbend,dc=net
sasl_ldap_uidattr: uid
sasl_ldap_port: 389
sasl_ldap_ssl: no
sasl_ldap_filter_mode: yes
sasl_ldap_filter: (objectClass=posixAccount)
sasl_ldap_bind_dn: cn=Manager,dc=westbend,dc=net
sasl_ldap_bind_pw: xxxxxxxx
sasl_ldap_alias_deref: n
Scot W. Hetzel
p.s. I probably could have removed a few of the sasl_ldap_* options, as they
would have used the compiled in default setting.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?018601c24f15$ec5360f0$12fd2fd8>