| Rev | Author | # | Line |
|---|---|---|---|
| 37 | CraigBox | 1 | !!! Connecting [Cyrus] to [LDAP] |
| 2 | |||
| 3 | !!__Implementing__ [Cyrus] __on Redhat with an [LDAP] backend__ | ||
| 35 | DirkDuenkelmann | 4 | |
| 5 | Note: It is assumed that you already have an [LDAP] backend capable of authenticating via uid and userPassword attributes. This does not need to be on the same box as the cyrus imap server. It should have a valid "cyrus" user though. | ||
| 6 | |||
| 37 | CraigBox | 7 | Using RPMs downloaded from [Simon Matter's Website|http://www.invoca.ch/pub/packages/cyrus-imapd/]: |
| 35 | DirkDuenkelmann | 8 | |
| 9 | * Build from the source RPMs: rpmbuild -ba --target ''arch'' cyrus-imapd-2.x.x-x.src.rpm | ||
| 10 | * Install ALL of the resulting RPMS. | ||
| 11 | * __Note:__ if you are happy without LDAP authentication, you may skip to the cyradm section below. | ||
| 12 | * Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to ''saslauthd''. That's right. EVEN though you will be using pam! | ||
| 13 | * Edit /etc/sysconfig/saslauthd, and add the line MECH="pam" | ||
| 14 | * Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines: | ||
| 15 | <pre> | ||
| 16 | auth sufficient /lib/security/pam_ldap.so | ||
| 17 | account sufficient /lib/security/pam_ldap.so | ||
| 18 | </pre> | ||
| 37 | CraigBox | 19 | * Edit /etc/openldap/ldap.conf and add the following lines.%%%__Note:__ Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf |
| 35 | DirkDuenkelmann | 20 | <pre> |
| 21 | host your.ldap.server | ||
| 22 | base ou=Your-Account-Container,dc=your,dc=domain,dc=components | ||
| 23 | scope sub | ||
| 24 | pam_login_attribute uid | ||
| 25 | </pre> | ||
| 26 | * Ensure saslauthd and cyrus-imapd are set to start at boot time (chkconfig saslauthd on && chkconfig cyrus-imapd on). | ||
| 27 | * Start both services (service saslauthd start && service cyrus-imapd start). | ||
| 28 | * That's it - you can now create mailboxes, and auth to them using your LDAP accounts. | ||
| 29 | |||
| 30 | !__Implementing__ [Cyrus] __2.1 on Debian Woody with an LDAP backend__ | ||
| 31 | |||
| 37 | CraigBox | 32 | This is the same as above, but implemented under Debian Woody instead. Again, make sure there is a cyrus user with a password you can use to run cyradm. |
| 35 | DirkDuenkelmann | 33 | |
| 34 | Get the backported cyrus21 debs and dependencies from http://people.debian.org/~hmh/ or the cyrus21 debs from sid/unstable. | ||
| 35 | |||
| 37 | CraigBox | 36 | * Install cyrus21-{admin,clients,common,docs,imapd,pop3d} |
| 37 | * Install libsasl2-modules libsasl2 sasl2-bin | ||
| 35 | DirkDuenkelmann | 38 | * Make sure /etc/sasldb2 is readable by group sasl. Pay attention to overrides (dpkg-statoverride)! |
| 39 | * Make sure user cyrus belongs to group sasl (cyrus21-common's install tries to do this automatically for you). | ||
| 40 | * __Note:__ if you are happy without LDAP authentication, you may skip to the cyradm section below. | ||
| 41 | * Edit /etc/cyrus.conf and check that the processes you want running are enabled | ||
| 42 | * Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to ''saslauthd''. Set the admin user to cyrus. I also suggest enabling plain text logins, and setting sasl_minimum_layer: 0 | ||
| 43 | * Edit /etc/defaults/saslauthd and ensure that START="yes" and MECHANISM="pam" are uncommented | ||
| 44 | * Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:%%% | ||
| 45 | <pre> | ||
| 46 | auth sufficient /lib/security/pam_ldap.so | ||
| 47 | account sufficient /lib/security/pam_ldap.so | ||
| 48 | </pre> | ||
| 37 | CraigBox | 49 | * Edit /etc/ldap.conf (SEE NOTE BELOW regarding /etc/openldap/ldap.conf vs. /etc/ldap.conf) and add the following lines: |
| 35 | DirkDuenkelmann | 50 | <pre> |
| 51 | host your.ldap.server | ||
| 52 | base ou=Your-Account-Container,dc=your,dc=domain,dc=components | ||
| 53 | scope sub | ||
| 54 | pam_login_attribute uid | ||
| 55 | </pre> | ||
| 56 | * Ensure saslauthd and cyrus-imapd are set to start at boot time (update-rc.d cyrus21 defaults && update-rc.d saslauthd defaults) | ||
| 57 | * Start both services (/etc/init.d/saslauthd start && /etc/init.d/cyrus-imapd start). | ||
| 58 | * That's it - you can now create mailboxes, and auth to them using your LDAP accounts. | ||
| 59 | |||
| 37 | CraigBox | 60 | Be warned: there is a nasty bug regarding Cyrus and SASL on Debian Woody that can cause a lot of problems. If you don't need it, you need to get the deb src, edit debian/rules and remove --with-cyrus-sasl, recompile, and reinstall. Note that this is a bug with cyrus and not LDAP/SASL. |
| 61 | |||
| 62 | !! Troubleshooting | ||
| 63 | |||
| 64 | !!Login failed: generic failure at /usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118 | ||
| 65 | |||
| 66 | Also found in syslog: | ||
| 35 | DirkDuenkelmann | 67 | |
| 68 | <verbatim> | ||
| 69 | Oct 12 22:57:56 ''server'' perl: No worthy mechs found | ||
| 37 | CraigBox | 70 | Oct 12 22:57:57 ''server'' cyrus/imapd[''number'']: cannot connect to saslauthd server: Permission denied |
| 35 | DirkDuenkelmann | 71 | </verbatim> |
| 72 | |||
| 37 | CraigBox | 73 | You need to make sure that Cyrus can read /var/run/saslauthd/mux. The best way to do this (as done in Sarge and up) is to make a 'sasl' group on your system, make 'cyrus' a member of this group, and set /var/run/saslauthd/ group +x permissions (only needs +x in order to be able to get into the dir, the actual socket on /var/run/saslauthd/mux is world +rwx anyway). This way, if you have other apps that use SASL, you just need to make them members of the sasl group as well and they can also read the socket. |
| 36 | PaWell | 74 | |
| 37 | CraigBox | 75 | !! No worthy mechs found |
| 35 | DirkDuenkelmann | 76 | |
| 77 | <verbatim> | ||
| 78 | Sep 20 14:44:35 ''server'' perl: No worthy mechs found | ||
| 79 | Sep 20 14:44:37 ''server'' saslauthd[6341]: pam_ldap: ldap_search_s No such object | ||
| 80 | Sep 20 14:44:37 ''server'' saslauthd[6341]: do_auth : auth failure: [user=cyrus] | ||
| 81 | [service=imap] [realm=] [mech=pam] [reason=PAM auth error] | ||
| 82 | </verbatim> | ||
| 37 | CraigBox | 83 | |
| 40 | CraigBox | 84 | The LDAP client config file can be at either /etc/openldap/ldap.conf or /etc/ldap.conf. The additions listed above for /etc/openldap/ldap.conf should actually be added to /etc/ldap.conf. This was figured out by setting the loglevel on openldap to -1 and watching the conversation while doing a <tt>cyradm --user cyrus localhost</tt>. |
| 37 | CraigBox | 85 | |
| 86 | In Debian, the file is /etc/pam_ldap.conf with content as in /etc/openldap/ldap.conf. You should configure it with <tt>dpkg-reconfigure libpam-ldap</tt>. | ||
| 38 | CraigBox | 87 | |
| 88 | !! auth failure: ~[user=user] ~[service=imap] ~[realm=domain.co.nz] ~[mech=pam] ~[reason=PAM auth error] | ||
| 89 | |||
| 39 | CraigBox | 90 | <verbatim> |
| 38 | CraigBox | 91 | Aug 24 15:01:49 vienne saslauthd[29787]: (pam_unix) check pass; user unknown |
| 92 | Aug 24 15:01:49 vienne saslauthd[29787]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= | ||
| 93 | Aug 24 15:01:52 vienne saslauthd[29787]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module | ||
| 94 | Aug 24 15:01:52 vienne saslauthd[29787]: do_auth : auth failure: [user=craig] [service=imap] [realm=domain.co.nz] [mech=pam] [reason=PAM auth error] | ||
| 39 | CraigBox | 95 | </verbatim> |
| 38 | CraigBox | 96 | |
| 97 | You're using a new saslauthd, which by default, will present the user without the @domain.co.nz in it. This might break your virtual hosting setup. The fix is add -r to your saslauthd command line, which on Debian you can do in /etc/default/saslauthd with <tt>PARAMS="-r"</tt>.([Debian bug|http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248333]) | ||
| 37 | CraigBox | 98 | |
| 99 | Note: see [LDAPNotes] for more information regarding LDAP under Debian. | ||
| 42 | JohnMcPherson | 100 | |
| 101 | !! cyradm: cannot connect to server | ||
| 102 | (cyrus2.2 on Debian 4.0 (Etch)) | ||
| 103 | |||
| 104 | Following the walkthrough in /usr/share/doc/cyrus-imapd-2.2/README.Debian.simpleinstall.gz, I got to here and couldn't log in as admin to create users. | ||
| 105 | |||
| 106 | The problem was that I had only enabled imaps (ie over SSL) and not imap in /etc/cyrus.conf, and the cyradm tool appears to do configuration over plain imap. Enable ''imap'' in /etc/cyrus.conf, restart cyrus, and you should now be able to log in to localhost using cyradm. | ||
| 37 | CraigBox | 107 | |
| 35 | DirkDuenkelmann | 108 | ---- |
| 37 | CraigBox | 109 | |
| 110 | !! Recovering from accidental deletion of mailspool dir | ||
| 35 | DirkDuenkelmann | 111 | |
| 41 | DavidHallett | 112 | If you have (stupidly - I did this!) deleted the cyrus spool directory for a mailbox, you will find you are unable to easily remove the mailbox from the db - cyrus will always think it exists. While I have no reason to believe this will harm anything, it is not a pleasant state to leave things in. I fixed it like this: |
| 35 | DirkDuenkelmann | 113 | |
| 114 | # Copy an existing mailbox spool dir, being careful to preserve the permissions, and name it the same as the one you deleted. | ||
| 115 | # Su to the cyrus admin user (ie su cyrus) | ||
| 116 | # Run reconstruct -f nameofmailbox (eg /usr/lib/cyrus/bin/reconstruct -f user/mailbox@I.accidentally.trashed). | ||
| 117 | # Use the cyradm "sam" command to set the acls on the mailbox so the cyrus user has full rights to it | ||
| 118 | # NOW you can use dm to delete the mailbox. | ||
| 119 | # Don't do it again! ;) | ||
| 120 | |||
| 121 | !! Getting Sieve working with Cyrus2.1 on Debian Sarge | ||
| 122 | |||
| 123 | By Default Cyrus2.1 uses SASL2 based Authentication, which requires the installation of sasl2-bin, but doesn't install libsasl2-modules, which are required for sieve authentication. | ||
| 124 | Websieve login will fail without libsasl2-modules. | ||
| 125 | |||
| 37 | CraigBox | 126 | !! Setting Cyrus to listen for [LMTP] deliver |
| 35 | DirkDuenkelmann | 127 | |
| 37 | CraigBox | 128 | Cyrus supports [LMTP] mail delivery - this is much more efficient than using a delivery program such as deliver, or using procmail. Edit /etc/cyrus.conf and enable a SERVICES entry similar to the following (it may already be enabled) |
| 35 | DirkDuenkelmann | 129 | |
| 130 | <verbatim> | ||
| 131 | lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0 | ||
| 132 | </verbatim> | ||
| 133 | |||
| 134 | This will listen for lmtp on the localhost IP. You may wish to use a unix domain socket instead: | ||
| 135 | |||
| 136 | <verbatim> | ||
| 137 | lmtpunix cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=0 | ||
| 138 | </verbatim> | ||
| 139 | |||
| 37 | CraigBox | 140 | You can now set your MTA to deliver to Cyrus via [LMTP], by specifying the appropriate address. See [LMTPNotes] for more information, or EximNotes for connecting to Exim. |
| 35 | DirkDuenkelmann | 141 | |
| 37 | CraigBox | 142 | !! Delivering to Cyrus from procmail |
| 35 | DirkDuenkelmann | 143 | |
| 37 | CraigBox | 144 | If you happen to be using an MTA that doesn't support [LMTP] delivery, and you really have to use something like procmail to get the mail from the MTA into Cyrus, then you MUST use the __deliver__ program packaged with Cyrus. Do not attempt to deliver directly into the Cyrus mailspool. |
| 35 | DirkDuenkelmann | 145 | |
| 37 | CraigBox | 146 | See ProcmailNotes for an example recipe snippet. Or upgrade your MTA to something like Exim or Postfix. |
| 35 | DirkDuenkelmann | 147 | |
| 148 | ---- | ||
| 149 | CategoryMailNotes |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 7 times)