Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 26 Apr 2005 11:24:47 -0400
From:      Yarema <yds@CoolRat.org>
To:        Jose M Rodriguez <josemi@freebsd.jazztel.es>, Oliver Lehmann <lehmann@ans-netz.de>
Cc:        Milan Obuch <ports@dino.sk>
Subject:   Re: splitting courier-authlib into master+slave ports
Message-ID:  <6309B48EABE0AB085E8EC642@tuber.coolrat.org>
In-Reply-To: <200504261633.30262.josemi@redesjm.local>
References:  <20050425171119.59ad98b7.lehmann@ans-netz.de> <200504261602.16471.josemi@redesjm.local> <2C4B5E66C964EB3FE9F69526@tuber.coolrat.org> <200504261633.30262.josemi@redesjm.local>

next in thread | previous in thread | raw e-mail | index | archive | help
--On Tuesday, April 26, 2005 16:33:28 +0200 Jose M Rodriguez=20
<josemi@freebsd.jazztel.es> wrote:

> El Martes, 26 de Abril de 2005 16:25, Yarema escribi=F3:
>> --On Tuesday, April 26, 2005 16:02:15 +0200 Jose M Rodriguez
>>
>> <josemi@freebsd.jazztel.es> wrote:
>> > El Martes, 26 de Abril de 2005 15:32, Oliver Lehmann escribi=F3:
>> >> Milan Obuch wrote:
>> >> > Issue with ldconfig seems not to be solved to me. Any idea?
>> >> > Milan
>> >>
>> >> right, courier-authlib works, but the path got not registered for
>> >> ldconfig permanently.
>> >>
>> >>
>> >> root@curry courier-authlib> ldconfig -vr
>> >> /var/run/ld-elf.so.hints:
>> >>         search directories:
>> >> /lib:/usr/lib:/usr/lib/compat:/usr/local/lib:/
>> >> usr/local/lib/courier-authlib:/usr/local/lib/mysql
>> >>
>> >> reboot...
>> >>
>> >>
>> >> root@curry olivleh1> ldconfig -vr
>> >> /var/run/ld-elf.so.hints:
>> >>         search directories:
>> >> /lib:/usr/lib:/usr/lib/compat:/usr/local/lib:/ usr/local/lib/mysql
>> >>
>> >> But that is like it is now. With mail/courier-authlib like it is
>> >> now, the same thing happens.
>> >>
>> >>
>> >> I'm not really shure why this happens since
>> >>
>> >> root@curry courier-authlib-mysql> make -VLDCONFIG_DIRS
>> >> %%PREFIX%%/lib/courier-authlib
>> >>
>> >>
>> >> works... I'll take a look for that error. If I don't find anything
>> >> I'll commit w/o fixing it right now.
>> >
>> > I can see the correct ldconfig lines recorded in +CONTENTS, but
>> > also I can reproduce the ldconfig -vr output.
>> >
>> > In any case, authdaemond start ok, but claims that it can't load
>> > the modules in modulelist I not installed.
>> >
>> > I you like, try to get authdaemonrc.dist more closer to the ports
>> > behavior: only put authpam in the modulelist (what -base install)
>> > This is made in the Makefile (reimplace).  At last supress authpwd.
>> >
>> > And..., can you work a quick pkg-message or UPDATING note on the
>> > need to tweak authdaemonrc to polite oper?
>>
>> The documentaion at
>> <http://www.Courier-MTA.org/authlib/README_authlib.html>; says:
>>
>> ~~~~~
>> The configuration file /usr/local/etc/authlib/authdaemonrc contains
>> several settings. The most important of them are:
>>
>> A list of authentication modules to activate. By default, this list
>> includes all available authentication modules, even if some are not
>> actually installed at the moment. When the authentication library is
>> set up, only those authentication modules that can be supported by
>> the operating system will be installed. Some of the listed modules
>> may not actually be there, however that's not a problem. Any
>> unavailable authentication modules will be ignored. Also, on some
>> platforms certain authentication modules are installed by optional
>> sub-packages. Installing the sub-package is the only action needed to
>> make use of it.
>>
>> The only time the list of authentication modules need to be adjusted
>> is when an available authentication module must be disabled for some
>> reason. This should only be needed in the most unusual circumstances.
>> ~~~~~
>>
>> Which I take to mean that authdaemond complaining about modules it
>> cannot load at startup can be safely ignored.  authpwd should
>> definitely not be there anymore.  But authmodulelist should include
>> all the plugin modules which we support and as the comment referring
>> to authmodulelist in authdaemonrc suggests "You may selectively
>> disable modules simply by removing them from the following list."  In
>> any case authmodulelistorig needs to contain all the modules we
>> support and should never be modified.
>>
>> This is just a matter of RTFM for the user before firing up
>> courier-authlib.  The staretup messages are mere warning and if they
>> are an eyesore we can redirect them to >/dev/null 2>&1 in the startup
>> script.
>
> The problem is that 'out of the box' this goes to /var/log/maillog with
> some precious FATAL on it.

Perhaps <MrSam@Courier-MTA.com> needs to change them FATAL messages to INFO =

or WARNING to comply with his own documentation and rpm packaging=20
methodology...  :)

> In any case I'm with you, supress only authpwd (we not install it in any
> case) and make some warning about this and the convenience to tweak
> authdaemonrc.
>
> And UPDATING entry with do the task.

Agreed.  Actually going through the documentation our out-of-the-box=20
settings in authdaemonrc should be:

authmodulelist=3D"authcram authuserdb authvchkpw authpam authldap authmysql =

authpgsql"
authmodulelistorig=3D"authcram authuserdb authvchkpw authpam authldap=20
authmysql authpgsql"

in that order.  authcram is part of userdb and needs to be listed first.=20
Then authuserdb gets tried then authvchkpw and if none of them are=20
available or configured then authpam tries to see if there's a system=20
account.  authldap authmysql authpgsql need to stay at the end because as=20
noted at the bottom of=20
<http://www.Courier-MTA.org/authlib/README.authdebug.html>:

~~~~~
authdaemond tries each of the configured authentication modules in turn,=20
until either one accepts the login, or they have all rejected it (in which=20
case the usual "Login failed" error is returned, and the user can try=20
again).

However, if one of these modules is unable to run because some resource is=20
not available, then it gives a "temporary failure" response and no further=20
modules are tried. You should find the exact cause in your mail logs, but=20
typically it means that you have a module like 'authmysql' in your module=20
list, but the mysql database is not running.

So unless you actually do have account data in mysql (in which case you=20
need to fix your mysql setup), you should remove 'authmysql' and any other=20
modules you do not use from authmodulelist in authdaemonrc.
~~~~~

--=20
Yarema
http://yds.CoolRat.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6309B48EABE0AB085E8EC642>