Differences between version 41 and predecessor to the previous major change of CyrusNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 41 | Last edited on Sunday, September 3, 2006 4:11:01 pm | by DavidHallett | Revert |
| Older page: | version 36 | Last edited on Thursday, March 23, 2006 4:28:02 am | by PaWell | Revert |
@@ -1,9 +1,11 @@
-!__Implementing__ [Cyrus] __on Redhat with an [LDAP] backend__
+!!! Connecting [Cyrus] to [LDAP]
+
+!
!__Implementing__ [Cyrus] __on Redhat with an [LDAP] backend__
Note: It is assumed that you already have an [LDAP] backend capable of authenticating via uid and userPassword attributes. This does not need to be on the same box as the cyrus imap server. It should have a valid "cyrus" user though.
-Using RPMs downloaded from [Simon Matter's Website|http://www.invoca.ch/pub/packages/cyrus-imapd/]...
+Using RPMs downloaded from [Simon Matter's Website|http://www.invoca.ch/pub/packages/cyrus-imapd/]:
* Build from the source RPMs: rpmbuild -ba --target ''arch'' cyrus-imapd-2.x.x-x.src.rpm
* Install ALL of the resulting RPMS.
* __Note:__ if you are happy without LDAP authentication, you may skip to the cyradm section below.
@@ -13,10 +15,9 @@
<pre>
auth sufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_ldap.so
</pre>
-* Edit /etc/openldap/ldap.conf and add the following lines:
-*
__Note:__ Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf
+* Edit /etc/openldap/ldap.conf and add the following lines.%%%
__Note:__ Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf
<pre>
host your.ldap.server
base ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope sub
@@ -24,18 +25,17 @@
</pre>
* Ensure saslauthd and cyrus-imapd are set to start at boot time (chkconfig saslauthd on && chkconfig cyrus-imapd on).
* Start both services (service saslauthd start && service cyrus-imapd start).
* That's it - you can now create mailboxes, and auth to them using your LDAP accounts.
-
!__Implementing__ [Cyrus] __2.1 on Debian Woody with an LDAP backend__
-This is the same as above, but implemented under Debian Woody instead. Again, make sure there is a cyrus user with a password you can use to run cyradmin
+This is the same as above, but implemented under Debian Woody instead. Again, make sure there is a cyrus user with a password you can use to run cyradm.
Get the backported cyrus21 debs and dependencies from http://people.debian.org/~hmh/ or the cyrus21 debs from sid/unstable.
-* install
cyrus21-{admin,clients,common,docs,imapd,pop3d}
-* install
libsasl2-modules libsasl2 sasl2-bin
+* Install
cyrus21-{admin,clients,common,docs,imapd,pop3d}
+* Install
libsasl2-modules libsasl2 sasl2-bin
* Make sure /etc/sasldb2 is readable by group sasl. Pay attention to overrides (dpkg-statoverride)!
* Make sure user cyrus belongs to group sasl (cyrus21-common's install tries to do this automatically for you).
* __Note:__ if you are happy without LDAP authentication, you may skip to the cyradm section below.
* Edit /etc/cyrus.conf and check that the processes you want running are enabled
@@ -45,9 +45,9 @@
<pre>
auth sufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_ldap.so
</pre>
-* Edit /etc/openldap
/ldap.conf (SEE NOTE BELOW regarding /etc/openldap/ldap.conf vs. /etc/ldap.conf) and add the following lines:
+* Edit /etc/ldap.conf (SEE NOTE BELOW regarding /etc/openldap/ldap.conf vs. /etc/ldap.conf) and add the following lines:
<pre>
host your.ldap.server
base ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope sub
@@ -56,61 +56,70 @@
* Ensure saslauthd and cyrus-imapd are set to start at boot time (update-rc.d cyrus21 defaults && update-rc.d saslauthd defaults)
* Start both services (/etc/init.d/saslauthd start && /etc/init.d/cyrus-imapd start).
* That's it - you can now create mailboxes, and auth to them using your LDAP accounts.
-''There
is a nasty bug regarding Cyrus and SASL on debian woody
that can cause a lot of problems. You
need to get the deb src, edit debian/rules and remove --with-cyrus-sasl, recompile, and reinstall. Note that this is a bug with cyrus and not ldap
/sasl
. -- TomHibbert''
+Be warned: there
is a nasty bug regarding Cyrus and SASL on Debian Woody
that can cause a lot of problems. If you don't need it, you
need to get the deb src, edit debian/rules and remove --with-cyrus-sasl, recompile, and reinstall. Note that this is a bug with cyrus and not LDAP
/SASL
.
+
+!! Troubleshooting
+
+!!Login failed: generic failure at /usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118
+
+Also found in syslog:
-----
-<pre>
-IMAP Password:
-Login failed: generic failure at /usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118
-</pre>
-In syslog:
<verbatim>
Oct 12 22:57:56 ''server'' perl: No worthy mechs found
-Oct 12 22:57:57 ''server'' cyrus/imapd[''number'']:
-
cannot connect to saslauthd server: Permission denied
+Oct 12 22:57:57 ''server'' cyrus/imapd[''number'']: cannot connect to saslauthd server: Permission denied
</verbatim>
-''Another thing that tripped me up the second time around is the permissions on /var/run/saslauthd if you're using that as your auth mechanism - just make sure that cyrus can read it and all will be fine -- TomHibbert''
-
-''The best way to do this IMO is to make a sasl group on your system, make cyrus a member of this group, and give /var/run/saslauthd/ group +x permissions (only needs +x in order to be able to get into the dir, the actual socket on /var/run/saslauthd/mux is world +rwx anyway). This way, if you have other apps that use sasl, you just need to make them members of the sasl group as well and they can also read the socket. This is, AFAIK, the way the debian packages normally handle this -- DanielLawson''
-''I slammed my head against this for some time before figuring out
that even though openldap creates
/etc
/openldap
/ldap
.conf
as it
's ldap client default configuration file
, other programs aren
't looking for that file. They
're looking for
/etc
/ldap.conf. The additions listed above for
/etc
/openldap/ldap.conf should actually
be added
to /etc
/ldap
.conf I figured this out by setting the loglevel on openldap
to -1
and watching
the conversation while doing a cyradm --user cyrus localhost -- ~EugeneWood''
+You need to make sure
that Cyrus can read
/var
/run
/saslauthd/mux
. The best way to do this (
as done in Sarge and up) is to make a
'sasl' group on your system
, make
'cyrus
' a member of this group, and set
/var
/run
/saslauthd
/ group +x permissions (only needs +x in order to
be able
to get into the dir, the actual socket on /var/run
/saslauthd
/mux is world +rwx anyway)
. This way, if you have other apps that use SASL, you just need
to make them members of the sasl group as well
and they can also read
the socket.
-''In Debian create file /etc/pam_ldap.conf with content as in /etc/openldap/ldap.conf - it gives configuration to pam_ldap module "
+!! No worthy mechs found
-''Here is what I was seeing in /var/log/messages Hopefully someone will catch this page from google with these terms -- ~EugeneWood''
<verbatim>
Sep 20 14:44:35 ''server'' perl: No worthy mechs found
Sep 20 14:44:37 ''server'' saslauthd[6341]: pam_ldap: ldap_search_s No such object
Sep 20 14:44:37 ''server'' saslauthd[6341]: do_auth : auth failure: [user=cyrus]
[service=imap] [realm=] [mech=pam] [reason=PAM auth error]
</verbatim>
+
+The LDAP client config file can be at either /etc/openldap/ldap.conf or /etc/ldap.conf. The additions listed above for /etc/openldap/ldap.conf should actually be added to /etc/ldap.conf. This was figured out by setting the loglevel on openldap to -1 and watching the conversation while doing a <tt>cyradm --user cyrus localhost</tt>.
+
+In Debian, the file is /etc/pam_ldap.conf with content as in /etc/openldap/ldap.conf. You should configure it with <tt>dpkg-reconfigure libpam-ldap</tt>.
+
+!! auth failure: ~[user=user] ~[service=imap] ~[realm=domain.co.nz] ~[mech=pam] ~[reason=PAM auth error]
+
+<verbatim>
+Aug 24 15:01:49 vienne saslauthd[29787]: (pam_unix) check pass; user unknown
+Aug 24 15:01:49 vienne saslauthd[29787]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
+Aug 24 15:01:52 vienne saslauthd[29787]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
+Aug 24 15:01:52 vienne saslauthd[29787]: do_auth : auth failure: [user=craig] [service=imap] [realm=domain.co.nz] [mech=pam] [reason=PAM auth error]
+</verbatim>
+
+You're using a new saslauthd, which by default, will present the user without the @domain.co.nz in it. This might break your virtual hosting setup. The fix is add -r to your saslauthd command line, which on Debian you can do in /etc/default/saslauthd with <tt>PARAMS="-r"</tt>.([Debian bug|http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248333])
+
+Note: see [LDAPNotes] for more information regarding LDAP under Debian.
+
----
-!!Recovering from accidental deletion of mailspool dir
-If you have (stupidly - I did ths
!) deleted the cyrus spool directory for a mailbox, you will find you are unable to easily remove the mailbox from the db - cyrus will always think it exists. While I have no reason to believe this will harm anything, it is not a pleasant state to leave things in. I fixed it like this:
+!! Recovering from accidental deletion of mailspool dir
+
+
If you have (stupidly - I did this
!) deleted the cyrus spool directory for a mailbox, you will find you are unable to easily remove the mailbox from the db - cyrus will always think it exists. While I have no reason to believe this will harm anything, it is not a pleasant state to leave things in. I fixed it like this:
# Copy an existing mailbox spool dir, being careful to preserve the permissions, and name it the same as the one you deleted.
# Su to the cyrus admin user (ie su cyrus)
# Run reconstruct -f nameofmailbox (eg /usr/lib/cyrus/bin/reconstruct -f user/mailbox@I.accidentally.trashed).
# Use the cyradm "sam" command to set the acls on the mailbox so the cyrus user has full rights to it
# NOW you can use dm to delete the mailbox.
# Don't do it again! ;)
-----
!! Getting Sieve working with Cyrus2.1 on Debian Sarge
By Default Cyrus2.1 uses SASL2 based Authentication, which requires the installation of sasl2-bin, but doesn't install libsasl2-modules, which are required for sieve authentication.
Websieve login will fail without libsasl2-modules.
-----
-Note: see [LDAPNotes] for more information regarding LDAP under Debian
-----
-!! Setting cyrus
to listen for lmtp
deliver
+!! Setting Cyrus
to listen for [LMTP]
deliver
-Cyrus supports [LMTP] mail delivery - this is much more efficient than using a delivery program such as deliver, or using procmail. Edit /etc/cyrus.conf and add
-
+Cyrus supports [LMTP] mail delivery - this is much more efficient than using a delivery program such as deliver, or using procmail. Edit /etc/cyrus.conf and enable
a SERVICES entry similar to the following (it may already be enabled)
<verbatim>
lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0
</verbatim>
@@ -120,15 +129,14 @@
<verbatim>
lmtpunix cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=0
</verbatim>
-You can now set your MTA to deliver to cyrus
via [LMTP], by specifying the appropriate address. You'll need to look at the notes
for the MTA on how to do this
, eg
EximNotes, PostfixNotes
+You can now set your MTA to deliver to Cyrus
via [LMTP], by specifying the appropriate address. See [LMTPNotes]
for more information
, or
EximNotes for connecting to Exim.
-!! Delivering to Cyrus from procmail.
+!! Delivering to Cyrus from procmail
-If you happen to be using an MTA that doesn't support [LMTP] delivery, and you really have to use something like procmail to get the mail from the MTA into cyrus
, then you MUST use the deliver program packaged with cyrus
. Do not attempt to deliver directly into the cyrus
mailspool.
+If you happen to be using an MTA that doesn't support [LMTP] delivery, and you really have to use something like procmail to get the mail from the MTA into Cyrus
, then you MUST use the __
deliver__
program packaged with Cyrus
. Do not attempt to deliver directly into the Cyrus
mailspool.
-See ProcmailNotes for an example recipe snippet. Or upgrade your MTA to something like exim
or postfix
.
+See ProcmailNotes for an example recipe snippet. Or upgrade your MTA to something like Exim
or Postfix
.
----
-
CategoryMailNotes
