Re: Authentication failed.

Tony Earnshaw wrote:

>man, 30.05.2005 kl. 06.38 skrev sam wun:
>
>[...]
>
>
>
>>As I look further in the debug.log, I found slapd may be has some
>>problem with user mailadmin:
>>May 30 12:30:25 mail02 slapd[468]: conn=10 fd=10 ACCEPT from
>>IP=127.0.0.1:50912 (IP=0.0.0.0:389)
>>May 30 12:30:25 mail02 slapd[468]: conn=10 op=0 BIND
>>dn="cn=mailadmin,ou=admin,dc=authtec,dc=com" method=128
>>May 30 12:30:25 mail02 slapd[468]: conn=10 op=0 RESULT tag=97 err=49 text=
>>May 30 12:30:26 mail02 slapd[468]: conn=10 fd=10 closed
>>
>>In the slapd.conf file,
>>I define the following access rule for mailadmin :
>>access to dn.subtree="ou=mail02,dc=authtec,dc=com"
>> by dn="cn=mailadmin,ou=admin,dc=authtec,dc=com" write
>> by * none
>>
>>
>
>Nobody can authenticate.
>
>
I have removed all ACLs. I assumed ldap will allow everything access
without explicitly define ACL.

>
>
>>Here is the postfix.ldif file I used to populate mail user into the ldap
>>database (BDB):
>>dn: ou=admin,dc=authtec,dc=com
>>ou: admin
>>objectClass: top
>>objectClass: organizationalUnit
>>
>>dn: ou=mail02,dc=authtec,dc=com
>>ou: mail02
>>objectClass: top
>>objectClass: organizationalUnit
>>
>>dn: cn=mailadmin,ou=admin,dc=authtec,dc=com
>>cn: mailadmin
>>mail: mailadmin@authtec.com
>>uid: mailadmin
>>displayName: mail admin
>>gidNumber: 80
>>uidNumber: 80
>>userStatus: 1
>>mailMessageStore: authtec.com/mailadmin/Maildir/
>>mailQuota: 1000000
>>userPassword: 2320419
>>objectClass: mailUser
>>
>>
>
>That's probably a typo, should be qmailUser. There's no structural
>objectClass, I can't see how OpenLDAP ever accepted this, unless you set
>schemacheck off in slapd.conf (bad).
>
>
The mail.schema had objectClass defined as mailUser.
When creating ldap password, I entered the following top level
objectClass data in the commandline:
dn: dc=authtec,dc=com
objectClass: dcObject
objectClass: organization
dc: authtec
o: Corporation

>
>
>>objectClass: top
>>homeDirectory: /usr/local/vmail
>>
>>dn: uid=test,ou=mail02,dc=authtec,dc=com
>>cn: test
>>uid: test
>>displayName: test user
>>uidNumber: 80
>>gidNumber: 80
>>
>>
>
>You can't give 2 users the same uidnumber.
>
>
>
I changed one uid# to 800, gid# to 800, another uid# to 80, gid# 80.

After remove all openldap-data/* db files and restart slapd, recreate
ldap password and populate the changed data into the emplty ldap
database, I still having the similiar error with the same test on port# 110.
May 30 14:23:32 mail02 postfix/trivial-rewrite[742]: warning:
dict_ldap_lookup: Search error -7: Bad search filter
May 30 14:23:32 mail02 postfix/trivial-rewrite[742]: fatal:
ldap:mailuser(0,100): table lookup problem

May 30 14:23:33 mail02 postfix/qmgr[567]: warning: premature
end-of-input on private/rewrite socket while reading input attribute name
May 30 14:23:33 mail02 postfix/qmgr[567]: warning: problem talking to
service rewrite: Unknown error: 0
May 30 14:23:33 mail02 postfix/master[565]: warning: process
/usr/local/libexec/postfix/trivial-rewrite pid 742 exit status 1
May 30 14:23:33 mail02 postfix/master[565]: warning:
/usr/local/libexec/postfix/trivial-rewrite: bad command startup --
throttling
May 30 14:23:39 mail02 pop3d: LOGIN FAILED, user=test@authtec.com, ip=[::1]
May 30 14:23:59 mail02 pop3d: LOGOUT, ip=[::1]

Thanks
Sam

>>userPassword: testtest
>>userStatus: 1
>>objectClass: mailUser
>>objectClass: top
>>mail: test@authtec.com
>>mailMessageStore: authtec.com/test/Maildir/
>>homeDirectory: /usr/local/vmail
>>
>>
>
>Same - no structural objectClass. Shouldn't have been accepted.
>
>
>
>>>>How can I track down the problem in detail?
>>>>
>>>>
>
>Get a copy of th OpenLDAP 2.2 admin doc from www.openldap.org and at
>least get the quick start bit working. Make sure that you know exactly
>what you're doing and why. Make sure you understand ACLs an what they're
>for. Set schemacheck on again. Further questions to the OpenLDAP ML.
>Later, when setting up authdaemond (authlib?), make sure you understand
>what the LDAP parameters do, further questions to the Courier ML.
>
>--Tonni
>
>
>