Re: Authentication failed.

man, 30.05.2005 kl. 08.30 skrev sam wun:

[...]

> >>In the slapd.conf file,
> >>I define the following access rule for mailadmin :
> >>access to dn.subtree=3D"ou=3Dmail02,dc=3Dauthtec,dc=3Dcom"
> >> by dn=3D"cn=3Dmailadmin,ou=3Dadmin,dc=3Dauthtec,dc=3D com" wri=
te
> >> by * none
> >> =20
> >>
> >
> >Nobody can authenticate.
> > =20
> >
> I have removed all ACLs. I assumed ldap will allow everything access=20
> without explicitly define ACL.

No.

> >>Here is the postfix.ldif file I used to populate mail user into the l=
dap=20
> >>database (BDB):
> >>dn: ou=3Dadmin,dc=3Dauthtec,dc=3Dcom
> >>ou: admin
> >>objectClass: top
> >>objectClass: organizationalUnit
> >>
> >>dn: ou=3Dmail02,dc=3Dauthtec,dc=3Dcom
> >>ou: mail02
> >>objectClass: top
> >>objectClass: organizationalUnit
> >>
> >>dn: cn=3Dmailadmin,ou=3Dadmin,dc=3Dauthtec,dc=3Dcom
> >>cn: mailadmin
> >>mail: mailadmin@authtec.com
> >>uid: mailadmin
> >>displayName: mail admin
> >>gidNumber: 80
> >>uidNumber: 80
> >>userStatus: 1
> >>mailMessageStore: authtec.com/mailadmin/Maildir/
> >>mailQuota: 1000000
> >>userPassword: 2320419
> >>objectClass: mailUser
> >> =20
> >>
> >
> >That's probably a typo, should be qmailUser. There's no structural
> >objectClass, I can't see how OpenLDAP ever accepted this, unless you s=
et
> >schemacheck off in slapd.conf (bad).=20

> The mail.schema had objectClass defined as mailUser.

That's a stolen qmail.schema. Never mind, if that objectClass is defined
in the schema, it'll work. But thre's still no structural objectClass.

> When creating ldap password, I entered the following top level=20
> objectClass data in the commandline:
> dn: dc=3Dauthtec,dc=3Dcom
> objectClass: dcObject
> objectClass: organization
> dc: authtec
> o: Corporation
>=20
> > =20
> >
> >>objectClass: top
> >>homeDirectory: /usr/local/vmail
> >>
> >>dn: uid=3Dtest,ou=3Dmail02,dc=3Dauthtec,dc=3Dcom
> >>cn: test
> >>uid: test
> >>displayName: test user
> >>uidNumber: 80
> >>gidNumber: 80
> >> =20
> >You can't give 2 users the same uidnumber.
> >=20
> I changed one uid# to 800, gid# to 800, another uid# to 80, gid# 80.

You don't necessarily have to change gidNumbers, but you *have* to know
what you are doing, and you obviously don't. You cannot authenticate
with your null-ACL - there's a perfectly good example in the default
slap.conf.

> After remove all openldap-data/* db files and restart slapd, recreate=20
> ldap password and populate the changed data into the emplty ldap=20
> database, I still having the similiar error with the same test on port#=
110.
> May 30 14:23:32 mail02 postfix/trivial-rewrite[742]: warning:=20
> dict_ldap_lookup: Search error -7: Bad search filter
> May 30 14:23:32 mail02 postfix/trivial-rewrite[742]: fatal:=20
> ldap:mailuser(0,100): table lookup problem
>=20
> May 30 14:23:33 mail02 postfix/qmgr[567]: warning: premature=20
> end-of-input on private/rewrite socket while reading input attribute na=
me
> May 30 14:23:33 mail02 postfix/qmgr[567]: warning: problem talking to=20
> service rewrite: Unknown error: 0
> May 30 14:23:33 mail02 postfix/master[565]: warning: process=20
> /usr/local/libexec/postfix/trivial-rewrite pid 742 exit status 1
> May 30 14:23:33 mail02 postfix/master[565]: warning:=20
> /usr/local/libexec/postfix/trivial-rewrite: bad command startup --=20
> throttling
> May 30 14:23:39 mail02 pop3d: LOGIN FAILED, user=3Dtest@authtec.com, ip=
=3D[::1]
> May 30 14:23:59 mail02 pop3d: LOGOUT, ip=3D[::1]

Do what I told you in the first post, get the 2.2 Admin guide and get
Quick Start working. I see you cross posted to the OpenLDAP ML, so
hopefully you can go on from there.
--=20
mail: tonye@billy.demon.nl
http://www.billy.demon.nl

Eg er bergenser og, eg, men, Trondheims-ordf=F8rer Marvin Wiseth:
=ABBergenserne er flinke til =E5 gj=F8re mye ut av lite=BB (uttalte seg o=
ver 17.
mai feiringen i=E5r, men gjelder sannsynligvis og dette mel mitt).