Thank you for your suggestions! They helped me a great deal. The situation is better now, in a sense that ptloader connects to LDAP and finds something. After corrections my imapd.conf: auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptsock ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 ldap_size_limit: 20 ldap_filter: (uid=%U) ldap_group_filter: (cn=%u) ldap_member_method: filter ldap_member_filter: (memberUid=%u) ldap_member_attribute: cn ldap_base: dc=example,dc=com ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_base: ou=groups,ou=people,dc=example,dc=com The LDAP now looks as following: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberUid: earbatov memberUid: user I modified the permissions for the admins group: sam user/postmaster group:admins lrswipkxte The logs for ptloader now have: mail imaps[17540]: ptload(): pinging ptloader mail imaps[17540]: connected with no delay mail imaps[17540]: ptload(): connected mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp = 0x4aa71af0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail ptloader[17538]: accepted connection mail imaps[17540]: ptload sent data mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp = 0x0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail imaps[17540]: ptload read data back mail imaps[17540]: ptload(): empty response from ptloader server mail master[17508]: process 17538 exited, signaled to death by 11 mail master[17508]: service ptloader pid 17538 in READY state: terminated abnormally mail imaps[17540]: No data available at all from ptload() mail imaps[17540]: ptload completely failed: unable to canonify identifier: earbatov mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext earbatov invalid user mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader mail ptloader[17613]: executed mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ The LDAP logs show this: ldap slapd[30259]: conn=20 op=2 SRCH base="ou=groups,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=earbatov)" ldap slapd[30259]: conn=20 op=2 SRCH attr=cn ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= And the ptdump tells: user: admins time: 1250751529 groups: 0 user: cyrusimap time: 1250751556 groups: 0 user: group:admins time: 1250751780 groups: 0 user: postmaster time: 1250751701 groups: 0 Needless to say, the authorization fails, without even giving me access to usual, not shared mailboxes. >> EA> pts_module: ldap >> >> This module is currently very difficult to configure, IMHO. > That's true. :) But it's doable. I would be glad not to use this pts_module, but if I leave it to defaults I see: mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ mail ptloader[18396]: PTS module afskrb not supported mail master[18364]: process 18428 exited, status 75 mail master[18364]: service ptloader pid 18428 in READY state: terminated abnormally Please refer me to any instructions on pts_module, if I do need to make changes. One more question: I am confused about the role of ldap_group_filter and ldap_group_base. Isn't ldap_member* enough? Evgeniy ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
