Re: cyrus - sasl - pam - ldap strange error with libsldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andreas Winkelmann wrote:
Am Thursday 14 September 2006 18:23 schrieb Sam Smith:

We've been using cyrus faithfully with pam->NIS for years, but I have to
change to pam->LDAP.
I'm using saslauthd -a pam, with a solaris 9 box that authenticates just
fine using pam->ldap to a fedora directory server.

I'm using cyrus 2.3.7, and sasl 2.1.22. I did not compile in ldap
support for sasl, since I am using pam.

Anyway, here's the error:

Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 379946
local6.notice] starttls: TLSv1 with cipher AES256-SHA (256/256 bits
reused) no authentication
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 293258
local6.error] libsldap: Status: 91  Mesg: openConnection: failed to
initialize TLS security (security library: bad database.)
Sep 14 12:07:19 tsnfs.ece.gatech.edu last message repeated 1 time
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 292100
local6.warning] libsldap: could not remove ldapserv.ece.gatech.edu from
servers list
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 293258
local6.error] libsldap: Status: 7  Mesg: Session error no available conn.
Sep 14 12:07:19 tsnfs.ece.gatech.edu imaps[2724]: [ID 529592
local6.notice] login: ct5247.ece.gatech.edu [199.77.225.131] sam
plain+TLS User logged in

I am able to login with most clients (thunderbird, outlook, eudora), but
I cannot login with squirrelmail. That's very strange. Squirrelmail logs
in twice for some reason, and the second time always fails.

Is this a cyrus or a sasl error? Or maybe a pam_ldap error?

Of course, if I change back to pam->NIS, everything works great, but
that's not an option.

Your configuration?

And, stop saslauthd and start it with an additional "-d" for Debug-Output out of a shell. Test it and show the Output.

Thanks Andrew,
The saslauthd output when run in debug mode while I login - doesn't show any problems:
saslauthd[2193] :main            : num_procs  : 5
saslauthd[2193] :main            : mech_option: NULL
saslauthd[2193] :main            : run_path   : /var/state/saslauthd
saslauthd[2193] :main            : auth_mech  : pam
saslauthd[2193] :ipc_init : using accept lock file: /var/state/saslauthd/mux.accept
saslauthd[2193] :detach_tty      : master pid is: 0
saslauthd[2193] :ipc_init : listening on socket: /var/state/saslauthd/mux
saslauthd[2193] :main            : using process model
saslauthd[2193] :have_baby       : forked child: 2194
saslauthd[2194] :get_accept_lock : acquired accept lock
saslauthd[2193] :have_baby       : forked child: 2195
saslauthd[2193] :have_baby       : forked child: 2196
saslauthd[2193] :have_baby       : forked child: 2197
saslauthd[2194] :rel_accept_lock : released accept lock
saslauthd[2195] :get_accept_lock : acquired accept lock
saslauthd[2194] :do_auth : auth success: [user=sam] [service=imap] [realm=] [mech=pam]
saslauthd[2194] :do_request      : response: OK

The log file during that login, showing the funny libsldap errors:
Sep 18 12:49:25 tsnfs.ece.gatech.edu imaps[2205]: [ID 921384 local6.debug] accepted connection Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 636471 local6.notice] TLS server engine: ca
nnot load CA data
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 379946 local6.notice] starttls: TLSv1 with
cipher AES256-SHA (256/256 bits new) no authentication
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 293258 local6.error] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (security library: bad database.)
Sep 18 12:49:26 tsnfs.ece.gatech.edu last message repeated 1 time
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 292100 local6.warning] libsldap: could not
remove ldapserv.ece.gatech.edu from servers list
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 293258 local6.error] libsldap: Status: 7 M
esg: Session error no available conn.
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 529592 local6.notice] login: ct5247.ece.
gatech.edu [199.77.225.131] sam plain+TLS User logged in
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 275131 local6.notice] skiplist: recovered /
var/imap/user/s/sam.seen (55 records, 17648 bytes) in 0 seconds
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 677757 local6.debug] seen_db: user sam open
ed /var/imap/user/s/sam.seen
Sep 18 12:49:26 tsnfs.ece.gatech.edu imaps[2205]: [ID 736213 local6.debug] open: user sam opened
INBOX


my imapd.conf:
configdirectory: /var/imap
servername: imap.ece.gatech.edu
defaultpartition: staff
partition-staff: /var/spool/imap/staff
partition-mailstore2: /var/spool/imap/mailstore2
partition-mailstore3: /var/spool/imap/mailstore3
partition-mailstore4: /var/spool/imap/mailstore4
partition-mailstore5: /var/spool/imap/mailstore5
partition-mailstore6: /var/spool/imap/mailstore6
admins: cyradmin cyrus
tls_cacert_dir: /etc/ece_conf/ssl
tls_cacert_file: /etc/ece_conf/ssl/cacert.pem
tls_cert_file: /etc/ece_conf/ssl/imapd.pem
tls_key_file: /etc/ece_conf/ssl/imapd.key
tls_session_timeout: 0
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
sasl_minimum_layer: 0
sasl_auto_transition: no
mailnotifier: mailto
sievenotifier: mailto
imapidresponse: 1

my cyrus.conf:
START {
 # do not delete these entries!
 recover       cmd="ctl_cyrusdb -r"

 # following 2 lines commented out when upgraded to 2.1.16
 # mboxlist    cmd="ctl_mboxlist -r"
 # deliver     cmd="ctl_deliver -r"

 # this is only necessary if using idled for IMAP IDLE
#  idled                cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
 # add or remove based on preferences
 cyradm        cmd="imapd" listen="localhost:imapadmin" prefork=0
 imap          cmd="imapd" listen="imap" prefork=0
 imaps         cmd="imapd -s" listen="imaps" prefork=0
 pop3          cmd="pop3d -s" listen="pop3" prefork=0
 pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
#  imap         cmd="imapd" listen="imapadmin" prefork=0
 sieve         cmd="timsieved" listen="sieve" prefork=1

 # at least one LMTP is required for delivery
 lmtp         cmd="lmtpd -a" listen="lmtp" prefork=10 maxchild=-1
 lmtpunix     cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=10
notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
 # this is required
 checkpoint    cmd="ctl_cyrusdb -c" period=30

 # this is only necessary if using duplicate delivery suppression
 delprune      cmd="ctl_deliver -E 3" at=0400

 # for pruning cached SSL/TLS sessions
 tlsprune      cmd="tls_prune" at=0400
}

======

The ldap server shows that the connection was an ssl connection, and unix logins work fine with pam->ldap, so I am clueless what the libsldap errors are about. I didn't even compile cyrus with ldap.

Sam Smith
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux