Andreas Winkelmann wrote:
Am Thursday 14 September 2006 18:23 schrieb Sam Smith:
We've been using cyrus faithfully with pam->NIS for years, but I have to
change to pam->LDAP.
I'm using saslauthd -a pam, with a solaris 9 box that authenticates just
fine using pam->ldap to a fedora directory server.
I'm using cyrus 2.3.7, and sasl 2.1.22. I did not compile in ldap
support for sasl, since I am using pam.
Anyway, here's the error:
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 379946
local6.notice] starttls: TLSv1 with cipher AES256-SHA (256/256 bits
reused) no authentication
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 293258
local6.error] libsldap: Status: 91 Mesg: openConnection: failed to
initialize TLS security (security library: bad database.)
Sep 14 12:07:19 tsnfs.ece.gatech.edu last message repeated 1 time
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 292100
local6.warning] libsldap: could not remove ldapserv.ece.gatech.edu from
servers list
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 293258
local6.error] libsldap: Status: 7 Mesg: Session error no available conn.
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 529592
local6.notice] login: ct5247.ece.gatech.edu [199.77.225.131] sam
plain+TLS User logged in
I am able to login with most clients (thunderbird, outlook, eudora), but
I cannot login with squirrelmail. That's very strange. Squirrelmail logs
in twice for some reason, and the second time always fails.
Is this a cyrus or a sasl error? Or maybe a pam_ldap error?
Of course, if I change back to pam->NIS, everything works great, but
that's not an option.
Your configuration?
And, stop saslauthd and start it with an additional "-d" for Debug-Output out
of a shell. Test it and show the Output.
Thanks Andrew,
The saslauthd output when run in debug mode while I login - doesn't show
any problems:
saslauthd[2193] :main : num_procs : 5
saslauthd[2193] :main : mech_option: NULL
saslauthd[2193] :main : run_path : /var/state/saslauthd
saslauthd[2193] :main : auth_mech : pam
saslauthd[2193] :ipc_init : using accept lock file:
/var/state/saslauthd/mux.accept
saslauthd[2193] :detach_tty : master pid is: 0
saslauthd[2193] :ipc_init : listening on socket:
/var/state/saslauthd/mux
saslauthd[2193] :main : using process model
saslauthd[2193] :have_baby : forked child: 2194
saslauthd[2194] :get_accept_lock : acquired accept lock
saslauthd[2193] :have_baby : forked child: 2195
saslauthd[2193] :have_baby : forked child: 2196
saslauthd[2193] :have_baby : forked child: 2197
saslauthd[2194] :rel_accept_lock : released accept lock
saslauthd[2195] :get_accept_lock : acquired accept lock
saslauthd[2194] :do_auth : auth success: [user=sam]
[service=imap] [realm=] [mech=pam]
saslauthd[2194] :do_request : response: OK
The log file during that login, showing the funny libsldap errors:
Sep 18 12:49:25 tsnfs.ece.gatech.edu imaps[2205]: [ID 921384
local6.debug] accepted connection
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 636471
local6.notice] TLS server engine: ca
nnot load CA data
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 379946
local6.notice] starttls: TLSv1 with
cipher AES256-SHA (256/256 bits new) no authentication
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 293258
local6.error] libsldap: Status: 91
Mesg: openConnection: failed to initialize TLS security (security
library: bad database.)
Sep 18 12:49:26 tsnfs.ece.gatech.edu last message repeated 1 time
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 292100
local6.warning] libsldap: could not
remove ldapserv.ece.gatech.edu from servers list
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 293258
local6.error] libsldap: Status: 7 M
esg: Session error no available conn.
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 529592
local6.notice] login: ct5247.ece.
gatech.edu [199.77.225.131] sam plain+TLS User logged in
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 275131
local6.notice] skiplist: recovered /
var/imap/user/s/sam.seen (55 records, 17648 bytes) in 0 seconds
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 677757
local6.debug] seen_db: user sam open
ed /var/imap/user/s/sam.seen
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 736213
local6.debug] open: user sam opened
INBOX
my imapd.conf:
configdirectory: /var/imap
servername: imap.ece.gatech.edu
defaultpartition: staff
partition-staff: /var/spool/imap/staff
partition-mailstore2: /var/spool/imap/mailstore2
partition-mailstore3: /var/spool/imap/mailstore3
partition-mailstore4: /var/spool/imap/mailstore4
partition-mailstore5: /var/spool/imap/mailstore5
partition-mailstore6: /var/spool/imap/mailstore6
admins: cyradmin cyrus
tls_cacert_dir: /etc/ece_conf/ssl
tls_cacert_file: /etc/ece_conf/ssl/cacert.pem
tls_cert_file: /etc/ece_conf/ssl/imapd.pem
tls_key_file: /etc/ece_conf/ssl/imapd.key
tls_session_timeout: 0
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
sasl_minimum_layer: 0
sasl_auto_transition: no
mailnotifier: mailto
sievenotifier: mailto
imapidresponse: 1
my cyrus.conf:
START {
# do not delete these entries!
recover cmd="ctl_cyrusdb -r"
# following 2 lines commented out when upgraded to 2.1.16
# mboxlist cmd="ctl_mboxlist -r"
# deliver cmd="ctl_deliver -r"
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
cyradm cmd="imapd" listen="localhost:imapadmin" prefork=0
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3 cmd="pop3d -s" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
# imap cmd="imapd" listen="imapadmin" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=1
# at least one LMTP is required for delivery
lmtp cmd="lmtpd -a" listen="lmtp" prefork=10 maxchild=-1
lmtpunix cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=10
notify cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" at=0400
# for pruning cached SSL/TLS sessions
tlsprune cmd="tls_prune" at=0400
}
======
The ldap server shows that the connection was an ssl connection, and
unix logins work fine with pam->ldap, so I am clueless what the libsldap
errors are about. I didn't even compile cyrus with ldap.
Sam Smith
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html