Differences between version 27 and predecessor to the previous major change of CyrusNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 27 | Last edited on Tuesday, September 21, 2004 11:18:44 am | by EugeneWood | Revert |
| Older page: | version 25 | Last edited on Thursday, June 24, 2004 5:36:25 pm | by CraigMckenna | Revert |
@@ -12,8 +12,9 @@
* Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:%%%
auth sufficient /lib/security/pam_ldap.so%%%
account sufficient /lib/security/pam_ldap.so%%%
* Edit /etc/openldap/ldap.conf and add the following lines:
+* __Note:__ Please see below regarding wether to modify /etc/openldap/ldap.conf or /etc/ldap.conf
host your.ldap.server%%%
base ou=Your-Account-Container,dc=your,dc=domain,dc=components%%%
scope sub%%%
pam_login_attribute uid%%%
@@ -38,9 +39,9 @@
* Edit /etc/defaults/saslauthd and ensure that START="yes" and MECHANISM="pam" are uncommented
* Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:%%%
auth sufficient /lib/security/pam_ldap.so%%%
account sufficient /lib/security/pam_ldap.so%%%
-* Edit /etc/openldap/ldap.conf and add the following lines:
+* Edit /etc/openldap/ldap.conf (SEE NOTE BELOW regarding /etc/openldap/ldap.conf vs. /etc/ldap.conf)
and add the following lines:
host your.ldap.server%%%
base ou=Your-Account-Container,dc=your,dc=domain,dc=components%%%
scope sub%%%
pam_login_attribute uid%%%
@@ -59,16 +60,25 @@
''Another thing that tripped me up the second time around is the permissions on /var/run/saslauthd if you're using that as your auth mechanism - just make sure that cyrus can read it and all will be fine -- TomHibbert''
''The best way to do this IMO is to make a sasl group on your system, make cyrus a member of this group, and give /var/run/saslauthd/ group +x permissions (only needs +x in order to be able to get into the dir, the actual socket on /var/run/saslauthd/mux is world +rwx anyway). This way, if you have other apps that use sasl, you just need to make them members of the sasl group as well and they can also read the socket. This is, AFAIK, the way the debian packages normally handle this -- DanielLawson''
+
+''I slammed my head against this for some time before figuring out that even though openldap creates /etc/openldap/ldap.conf as it's ldap client default configuration file, other programs aren't looking for that file. They're looking for /etc/ldap.conf. The additions listed above for /etc/openldap/ldap.conf should actually be added to /etc/ldap.conf I figured this out by setting the loglevel on openldap to -1 and watching the conversation while doing a cyradm --user cyrus localhost -- EugeneWood''
+
+''Here is what I was seeing in /var/log/messages Hopefully someone will catch this page from google with these terms -- EugeneWood''
+
+ Sep 20 14:44:35 ''server'' perl: No worthy mechs found
+ Sep 20 14:44:37 ''server'' saslauthd[[6341]: pam_ldap: ldap_search_s No such object
+ Sep 20 14:44:37 ''server'' saslauthd[[6341]: do_auth : auth failure: [[user=cyrus] [[service=imap] [[realm=] [[mech=pam] [[reason=PAM auth error]
----
!!Recovering from accidental deletion of mailspool dir
If you have (stupidly - I did ths!) deleted the cyrus spool directory for a mailbox, you will find you are unable to easily remove the mailbox from the db - cyrus will always think it exists. While I have no reason to believe this will harm anything, it is not a pleasant state to leave things in. I fixed it like this:
# Copy an existing mailbox spool dir, being careful to preserve the permissions, and name it the same as the one you deleted.
-# As
the cyrus admin user, run
reconstruct -f nameofmailbox (eg /usr/lib/cyrus/bin/reconstruct -f user/mailbox@I.accidentally.trashed).
+# Su to
the cyrus admin user (ie su cyrus)
+# Run
reconstruct -f nameofmailbox (eg /usr/lib/cyrus/bin/reconstruct -f user/mailbox@I.accidentally.trashed).
# Use the cyradm "sam" command to set the acls on the mailbox so the cyrus user has full rights to it
# NOW you can use dm to delete the mailbox.
# Don't do it again! ;)
