[bug-notifications] [dovecot 0002760]: Auth fails for LDAP users via PAM
Mantis Bug Tracker
noreply at opencsw.org
Sun Mar 29 13:11:36 CEST 2009
The following issue requires your FEEDBACK.
======================================================================
http://www.opencsw.org/mantis/view.php?id=2760
======================================================================
Reported By: laurent
Assigned To: skayser
======================================================================
Project: dovecot
Issue ID: 2760
Category: packaging
Reproducibility: always
Severity: feature
Priority: normal
Status: feedback
======================================================================
Date Submitted: 2008-01-31 08:38 CET
Last Modified: 2009-03-29 13:11 CEST
======================================================================
Summary: Auth fails for LDAP users via PAM
Description:
My Solaris 10 is configured to have most users in LDAP, they\'re
authenticated via configuration in PAM and nsswitch.
It works fine with WU-IMAP, Qpopper, and even a self-built dovecot 1.0.10,
but not with the Blastwave version.
The Blastwave version will accept a local (/etc/passwd) user, but the auth
fails for all PAM LDAP users. My self-built version works, using the
Blastwave SMF method and the same configuration file.
======================================================================
----------------------------------------------------------------------
(0005118) asmoore (reporter) - 2008-01-31 18:17
http://www.opencsw.org/mantis/view.php?id=2760#c5118
----------------------------------------------------------------------
Whose LDAP?
----------------------------------------------------------------------
(0005119) asmoore (reporter) - 2008-01-31 18:20
http://www.opencsw.org/mantis/view.php?id=2760#c5119
----------------------------------------------------------------------
Sorry, I meant to ask:
Whose ldap libraries?
----------------------------------------------------------------------
(0005120) laurent (reporter) - 2008-02-01 03:33
http://www.opencsw.org/mantis/view.php?id=2760#c5120
----------------------------------------------------------------------
It\'s Solaris LDAP that are used by the system\'s PAM.
But I have to be clear, I have not configured Dovecot to use LDAP
directly, and the version I built is not even linked with LDAP. I\'m only
trying to use PAM here.
----------------------------------------------------------------------
(0005123) asmoore (reporter) - 2008-02-03 09:45
http://www.opencsw.org/mantis/view.php?id=2760#c5123
----------------------------------------------------------------------
Please test the dovecot_pam package at http://www.blastwave.org/testing
. It will be listed on the web page within the next hour or so.
You need to `pkgrm CSWdovecot`, download dovecot_pam for your
architecture, gunzip the file and `pkgadd -d <filename>`
----------------------------------------------------------------------
(0005124) laurent (reporter) - 2008-02-04 04:12
http://www.opencsw.org/mantis/view.php?id=2760#c5124
----------------------------------------------------------------------
I installed it, and a first test shows that a AM authenticated user now can
log in. Thanks!
----------------------------------------------------------------------
(0005125) asmoore (reporter) - 2008-02-04 06:47
http://www.opencsw.org/mantis/view.php?id=2760#c5125
----------------------------------------------------------------------
For CSWdovecot-pam, I removed --with-ldap. Since you did not need
--with-mysql, I removed that as well.
This proves that dovecot is doing something with the OpenLDAP linkage that
breaks pam using Sun\'s ldap.
I do not know how to integrate CSWdovecot-pam within the blastwave
packaging framework and rules/standards. I am working on it and may find
an answer.
----------------------------------------------------------------------
(0005126) laurent (reporter) - 2008-02-04 07:26
http://www.opencsw.org/mantis/view.php?id=2760#c5126
----------------------------------------------------------------------
FWIW, I\'d like to have both PAM and LDAP built in.
PAM is practical to make it work easily, however, we can\'t rule out
switching to direct LDAP authentication in the future, while keeping any
/etc/passwd account working.
----------------------------------------------------------------------
(0005127) asmoore (reporter) - 2008-02-04 18:40
http://www.opencsw.org/mantis/view.php?id=2760#c5127
----------------------------------------------------------------------
Yes, I have to keep OpenLDAP working with dovecot. I think that is a more
typical way to setup virtual accounts.
I have used the current CSWdovecot package with pam and passwd/shadow
accounts. It works fine.
----------------------------------------------------------------------
(0005129) laurent (reporter) - 2008-02-05 09:13
http://www.opencsw.org/mantis/view.php?id=2760#c5129
----------------------------------------------------------------------
In my case, accounts are not completely virtual, some are really needed for
login on the server, hence the need for PAM, at least now.
When you say it works, it means that you managed to have PAM work as
expected using the unmodified Dovecot package? Could you show me a sample
of your configuration files? In my case, I use the *same* configuration,
and one binary works with PAM accounts, the other does not. Local accounts
did work, though.
----------------------------------------------------------------------
(0005130) asmoore (reporter) - 2008-02-05 18:37
http://www.opencsw.org/mantis/view.php?id=2760#c5130
----------------------------------------------------------------------
Here is my /opt/csw/etc/dovecot.conf for passwd - files (not ldap). I
removed the commented lines.
base_dir = /opt/csw/var/run/dovecot/
protocols = imap
shutdown_clients = yes
syslog_facility = mail
login_dir = /opt/csw/var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_per_connection = yes
login_processes_count = 3
login_max_processes_count = 128
login_max_connections = 256
default_mail_env =
maildir:%h/Maildir:INDEX=/opt/csw/var/dovecot/indexes/%n
mail_full_filesystem_access = no
lock_method = fcntl
first_valid_uid = 100
last_valid_uid = 32766
mailbox_idle_check_interval = 30
protocol imap {
login_executable = /opt/csw/libexec/dovecot/imap-login
mail_executable = /opt/csw/libexec/dovecot/imap
}
auth_executable = /opt/csw/libexec/dovecot/dovecot-auth
auth_verbose = no
auth default {
mechanisms = plain
passdb pam {
args = dovecot
}
userdb passwd {
}
user = root
}
plugin {
}
----------------------------------------------------------------------
(0005147) asmoore (reporter) - 2008-02-24 11:05
http://www.opencsw.org/mantis/view.php?id=2760#c5147
----------------------------------------------------------------------
Please see how this works for you. I have built dovecot twice and have
only the one package available. I added /opt/csw/sbin/dovecot-pam.ldap to
the package, as I think that this is all that is really needed. However,
I have no way to test this. Packages are at http://www.blastwave.org/testing
for download and manual install.
Please confirm that this does or does not work for you. Here is the text
that I added to README.CSW:
2008-02-24
If you are having trouble using pam with Solaris ldap naming services,
rename /opt/csw/sbin/dovecot to /opt/csw/sbin/dovecot.OFF and rename
/opt/csw/sbin/dovecot-pam.ldap to /opt/csw/sbin/dovecot and restart
dovecot.
Thanks
----------------------------------------------------------------------
(0005153) laurent (reporter) - 2008-02-27 11:06
http://www.opencsw.org/mantis/view.php?id=2760#c5153
----------------------------------------------------------------------
Sorry, I tried, but neither of them worked.
First did the pkgadd, I checked that the process had been restarted.
Then tried a login to a PAM LDAP account: it failed
Then did the following to replace the binary:
mv /opt/csw/sbin/dovecot /opt/csw/sbin/dovecot.OFF
mv /opt/csw/sbin/dovecot-pam.ldap /opt/csw/sbin/dovecot
svcadm restart cswdovecot
I checked it was restarted, tried the same login: failur again.
I removed the package, put back the previous testing one, and it worked
again.
----------------------------------------------------------------------
(0005155) asmoore (reporter) - 2008-02-28 06:46
http://www.opencsw.org/mantis/view.php?id=2760#c5155
----------------------------------------------------------------------
Thanks for trying. Sorry, I do not know how to fix this, since I do not
see how to merge the two packages and end up with two binaries that work
differently.
----------------------------------------------------------------------
(0005156) laurent (reporter) - 2008-02-28 07:47
http://www.opencsw.org/mantis/view.php?id=2760#c5156
----------------------------------------------------------------------
It sounds very much like there is a bug in Dovecot, though. LDAP and PAM
should both work together. Can you send me the details of your build
configuration? I can try to reproduce it and get it fixed by the Dovecot
developer.
----------------------------------------------------------------------
(0005158) asmoore (reporter) - 2008-02-29 06:55
http://www.opencsw.org/mantis/view.php?id=2760#c5158
----------------------------------------------------------------------
I agree. To build, source the following options, source myconfigure (these
are in a file), run gmake and gmake install.
I noticed the addtion of -lldap -llber to LDFLAGS. That may be carried
over from an earlier dovecot release and not be needed anymore. To see if
this is causing the problem, I did a build without \'-lldap -llber\' and
put the package at http://www.blastwave.org/testing
The update should be on the web page list within the half hour. Please
test this package before going to Timo.
# \'compiler and linker flags\'
#!/usr/bin/sh
LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\'
LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap -llber\'
CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\'
CFLAGS=\'-O -xarch=v8\'
export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS
CC=/opt/studio/SOS8/SUNWspro/bin/cc
CXX=/opt/studio/SOS8/SUNWspro/bin/CC
F77=/opt/studio/SOS8/SUNWspro/bin/f77
export CC CXX F77
PKG_CONFIG_PATH=/opt/csw/lib
export PKG_CONFIG_PATH
#!/usr/bin/sh
./configure \\
--prefix=/opt/csw \\
--mandir=/opt/csw/share/man \\
--with-libiconv-prefix=/opt/csw \\
--with-shadow \\
--with-pam \\
--with-ldap \\
--with-ssl=openssl \\
--with-ssldir=/opt/csw/ssl \\
--with-mysql \\
--enable-header-install \\
--with-gssapi
----------------------------------------------------------------------
(0005160) laurent (reporter) - 2008-03-03 10:10
http://www.opencsw.org/mantis/view.php?id=2760#c5160
----------------------------------------------------------------------
Still not working with the latest package, so it\'s now the compile road
for me, hope I\'ll reproduce the problem, I\'d rather use the Blastwave
package than my own.
----------------------------------------------------------------------
(0005161) laurent (reporter) - 2008-03-03 10:53
http://www.opencsw.org/mantis/view.php?id=2760#c5161
----------------------------------------------------------------------
Only a sidenote, I\'ve just done the configure, against the same /opt/csw
where the dovecot package and its dependencies were pulled.
I noted that the following is given to ./configure:
--with-gssapi
But it doesn\'t actually work:
Building with GSSAPI support ........ : no
----------------------------------------------------------------------
(0005162) laurent (reporter) - 2008-03-04 05:46
http://www.opencsw.org/mantis/view.php?id=2760#c5162
----------------------------------------------------------------------
Okay, after more testing, the conclusion is that linking Dovecot against
OpenLDAP breaks the PAM LDAP. When it\'s linked against Solaris LDAP libs,
it works (I haven\'t tried using LDAP directly, though).
I built using your environment, against Blastwave libs, with very little
changes.
I suppose it\'s some kind of LDAP function override by the OpenLDAP
library at runtime.
So now the question is, is that something you can fix, or is it up to
Timo? I\'d wager it\'s the latter, but I\'m not completely sure.
Compilation details:
First, using OpenLDAP:
export PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/opt/SUNWspro/bin
LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\'
CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\'
LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap -llber\'
CFLAGS=\'-O -xarch=v8\'
export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS
CC=/opt/SUNWspro/bin/cc
CXX=/opt/SUNWspro/bin/CC
F77=/opt/SUNWspro/bin/f77
export CC CXX F77
PKG_CONFIG_PATH=/opt/csw/lib
export PKG_CONFIG_PATH
./configure \\
--prefix=/usr/local/dovecot-1.0.10_test \\
--mandir=/opt/csw/share/man \\
--with-libiconv-prefix=/opt/csw \\
--with-shadow \\
--with-pam \\
--with-ldap \\
--with-mysql \\
--with-ssl=openssl \\
--with-ssldir=/opt/csw/ssl \\
--enable-header-install \\
--with-gssapi
make
make install
# ldd /usr/local/dovecot-1.0.10_test/sbin/dovecot
libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0
liblber-2.3.so.0 => /opt/csw/lib/sparcv8/liblber-2.3.so.0
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
librt.so.1 => /lib/librt.so.1
libsendfile.so.1 => /lib/libsendfile.so.1
libc.so.1 => /lib/libc.so.1
libresolv.so.2 => /lib/libresolv.so.2
libgen.so.1 => /lib/libgen.so.1
libnet.so => /opt/csw/lib/sparcv8/libnet.so
libsasl2.so.2 => /opt/csw/lib/sparcv8/libsasl2.so.2
libssl.so.0.9.8 =>
/opt/csw/lib/sparcv8plus+vis/libssl.so.0.9.8
libcrypto.so.0.9.8 =>
/opt/csw/lib/sparcv8plus+vis/libcrypto.so.0.9.8 libmp.so.2 =>
/lib/libmp.so.2
libmd5.so.1 => /lib/libmd5.so.1
libscf.so.1 => /lib/libscf.so.1
libaio.so.1 => /lib/libaio.so.1
libdl.so.1 => /lib/libdl.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1
Then to use Sun LDAP, I removed the Blastwave OpenLDAP packages, and only
-llber from the build environment:
pkgrm CSWoldapclient CSWoldaprt
export PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/opt/SUNWspro/bin
LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\'
CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\'
LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap\'
CFLAGS=\'-O -xarch=v8\'
export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS
CC=/opt/SUNWspro/bin/cc
CXX=/opt/SUNWspro/bin/CC
F77=/opt/SUNWspro/bin/f77
export CC CXX F77
PKG_CONFIG_PATH=/opt/csw/lib
export PKG_CONFIG_PATH
./configure \\
--prefix=/usr/local/dovecot-1.0.10_test_sunldap \\
--mandir=/opt/csw/share/man \\
--with-libiconv-prefix=/opt/csw \\
--with-shadow \\
--with-pam \\
--with-ldap \\
--with-mysql \\
--with-ssl=openssl \\
--with-ssldir=/opt/csw/ssl \\
--enable-header-install \\
--with-gssapi
make
make install
# ldd /usr/local/dovecot-1.0.10_test_sunldap/sbin/dovecot
libldap.so.5 => /usr/lib/libldap.so.5
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
librt.so.1 => /lib/librt.so.1
libsendfile.so.1 => /lib/libsendfile.so.1
libc.so.1 => /lib/libc.so.1
libsasl.so.1 => /usr/lib/libsasl.so.1
libmd5.so.1 => /lib/libmd5.so.1
libnspr4.so => /usr/lib/mps/libnspr4.so
libplc4.so => /usr/lib/mps/libplc4.so
libnss3.so => /usr/lib/mps/libnss3.so
libssl3.so => /usr/lib/mps/libssl3.so
libmp.so.2 => /lib/libmp.so.2
libscf.so.1 => /lib/libscf.so.1
libaio.so.1 => /lib/libaio.so.1
libpthread.so.1 => /lib/libpthread.so.1
libthread.so.1 => /lib/libthread.so.1
libdl.so.1 => /lib/libdl.so.1
libsoftokn3.so => /usr/lib/mps/libsoftokn3.so
libplds4.so => /usr/lib/mps/libplds4.so
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libbsm.so.1 => /lib/libbsm.so.1
libsecdb.so.1 => /lib/libsecdb.so.1
libtsol.so.2 => /lib/libtsol.so.2
libcmd.so.1 => /lib/libcmd.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1
/usr/lib/mps/cpu/sparcv8plus/libnspr_flt4.so
Each time, the dovecot binary was linked to /opt/csw/sbin/dovecot, and the
cswdovecot service restarted, using always the same
/opt/csw/etc/dovecot.conf file.
----------------------------------------------------------------------
(0005163) asmoore (reporter) - 2008-03-04 07:16
http://www.opencsw.org/mantis/view.php?id=2760#c5163
----------------------------------------------------------------------
I am not sure, but I doubt either of us can fix this. That is why I built
dovecot-pam without OpenLDAP to prove that OpenLDAP bindings were the
problem. The next package tried to determine which binary needed to be
switched by adding /opt/csw/sbin/dovecot-pam for you to rename.
I do not mind building dovecot twice, but I need to have only one package
since I cannot duplicate filenames across packages.
The best option is to determine which binaries needs to be switched.
Assuming it is that simple. Let me make another package that includes some
files to rename.
----------------------------------------------------------------------
(0005177) laurent (reporter) - 2008-03-07 10:42
http://www.opencsw.org/mantis/view.php?id=2760#c5177
----------------------------------------------------------------------
The strange thing is, when you provided me with the testing package
including two binaries, neither of them worked as I reported above, when
the one without LDAP should have...
----------------------------------------------------------------------
(0005178) asmoore (reporter) - 2008-03-07 18:02
http://www.opencsw.org/mantis/view.php?id=2760#c5178
----------------------------------------------------------------------
Now I am confused. I have copied text from above for verification. This
test was done with a dovecot package built without OpenLDAP at all.
------copied
-----------------------------------------------------------------------
laurent - 2008-02-04 04:12 EST
-----------------------------------------------------------------------
I installed it, and a first test shows that a AM authenticated user now
can
log in. Thanks!
------end of copied text
If that package actually did Not work, then I am at a loss for what to do.
----------------------------------------------------------------------
(0005179) laurent (reporter) - 2008-03-10 11:33
http://www.opencsw.org/mantis/view.php?id=2760#c5179
----------------------------------------------------------------------
I was referring to your message from 2008-02-24 11:05, in which you said:
====
I have built dovecot twice and have only the one package available. I
added /opt/csw/sbin/dovecot-pam.ldap to the package, as I think that this
is all that is really needed.
====
And *that* didn\'t work, as I pointed out below. I believe it might be
because /opt/csw/libexec/dovecot binaries also contains references to
libldap:
imap:
libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0
imap-login:
libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0
So including an alternative, OpenLDAP-free version doesn\'t seem to be
that simple.
----------------------------------------------------------------------
(0005181) asmoore (reporter) - 2008-03-10 19:06
http://www.opencsw.org/mantis/view.php?id=2760#c5181
----------------------------------------------------------------------
Yes, I agree that the problem is all of the other files that still have the
link to OpenLDAP.
One option is for me to create something like this. A core package
dovecot_core which does not include any files from the following packages,
then a dovecot bin package with OpenLDAP dovecot (the old one), and
finally, a dovecot bin package without OpenLDAP that is named dovecot_pam.
Both packages would depend on dovecot_core. dovecot_core would have no
files linked with OpenLDAP.
This will make more sense when I have the install scripts correct. I
started working on this a few days ago. When I am ready, I will let you
know.
----------------------------------------------------------------------
(0005185) laurent (reporter) - 2008-03-11 05:23
http://www.opencsw.org/mantis/view.php?id=2760#c5185
----------------------------------------------------------------------
Okay, sounds good, I\'ll try it as soon as it\'s ready!
----------------------------------------------------------------------
(0005779) skayser (administrator) - 2009-03-29 13:11
http://www.opencsw.org/mantis/view.php?id=2760#c5779
----------------------------------------------------------------------
CSWdovecot has a new maintainer and an updated dovecot version (1.1.11) has
been published to current.
I have successfully tested this new package on Solaris 10 x86 with dovecot
authenticating users directly against LDAP (Sun DS 6.3) as well as via PAM
LDAP. Could you please verify that the updated package addresses your
authentication problems also.
Issue History
Date Modified Username Field Change
======================================================================
2009-03-29 13:11 skayser Note Added: 0005779
2009-03-29 13:11 skayser Assigned To asmoore => skayser
2009-03-29 13:11 skayser Status assigned => feedback
======================================================================
More information about the bug-notifications
mailing list