摩托學園討論區

[kc19800322]

各位大大,小弟在這邊請教一個問題!
我有兩台PC 上面的系統是 Debian etch

一台pc 安裝的是 samba + openldap
一台pc 安裝的是 postfix

當postfix收信時,他會去跟另一台pc 的ldap要user的資訊去做認證
我是用saslauthd 是跟ldap去做聯接,而不是用pam去做連接
我在Linux上收發信都沒有什麼問題,因為我想要outlook去收信,所以我安裝了courier-ldap couriew-imap courier-pop courier-base 這些套件,也在authldaprc這個檔案做過設定,但是每當我用outlook去收信的時候,他會一直要求我輸入密碼,可是寄信的話是沒有任何問題,我不知道是什麼原因,可以請各位大大幫忙看看嗎?

authldaprc設定檔

#LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com
LDAP_URI ldap://10.0.88.50

##NAME: LDAP_PROTOCOL_VERSION:0
#
# Which version of LDAP protocol to use

LDAP_PROTOCOL_VERSION 3

##NAME: LDAP_BASEDN:0
#
# Look for authentication here:

LDAP_BASEDN ou=Users,dc=abc,dc=com,dc=tw

##NAME: LDAP_BINDDN:0
#
# You may or may not need to specify the following. Because you've got
# a password here, authldaprc should not be world-readable!!!

LDAP_BINDDN cn=admin,dc=abc,dc=com,dc=tw
LDAP_BINDPW q

##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search and connection

LDAP_TIMEOUT 5

##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and password.
# If rebind succeeds, this is considered to be an authenticated request. This
# does not support CRAM-MD5 authentication, which requires clearPassword.
# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
# the credentials of the user themselves, not LDAP_BINDDN/BINDPW
#
#LDAP_AUTHBIND 1

##NAME: LDAP_MAIL:0
#
# Here's the field on which we query

LDAP_MAIL uid

##NAME: LDAP_FILTER:0
#
# This LDAP filter will be ANDed with the query for the field defined above
# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER
# defined to be "(objectClass=CourierMailAccount)" the query that is performed
# will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
#
LDAP_FILTER (objectClass=inetOrgPerson)

##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly specified.
#
# LDAP_DOMAIN agb.com.tw

##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and gid.
# This is convenient if your LDAP specifies a bunch of virtual mail accounts
# The values can be usernames or userids:
#
LDAP_GLOB_UID vmail
LDAP_GLOB_GID vmail

##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it

LDAP_HOMEDIR uid

##NAME: LDAP_MAILROOT:0
#
# If homeDirectory is not an absolute path, define the root of the
# relative paths in LDAP_MAILROOT
#
LDAP_MAILROOT /var/vmail

##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory. If not specified, ./Maildir will be used

LDAP_MAILDIR .

##NAME: LDAP_DEFAULTDELIVERY:0
#
# Courier mail server only: optional attribute specifies custom mail delivery
# instructions for this account (if defined) -- essentially overrides
# DEFAULTDELIVERY from ${sysconfdir}/courierd

LDAP_DEFAULTDELIVERY defaultDelivery

##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
# LDAP_MAILDIRQUOTA quota


##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name

LDAP_FULLNAME cn

##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password. CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
# libhmac.a is available, CRAM authentication will be possible!

LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword

##NAME: LDAP_IDS:0
#
# Uncomment the following, and modify as appropriate, if your LDAP database
# stores individual userids and groupids. Otherwise, you must uncomment
# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
# be defined as attributes for everyone.
#
#LDAP_UID uidNumber
#LDAP_GID gidNumber


##NAME: LDAP_AUXOPTIONS:0
#
# Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of
# comma-separated "ATTRIBUTE=NAME" pairs. These names are additional
# attributes that define various per-account "options", as given in
# INSTALL's description of the OPTIONS setting.
#
# Each ATTRIBUTE specifies an LDAP attribute name. If it is present,
# the attribute value gets placed in the OPTIONS variable, with the name
# NAME. For example:
#
# LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap
#
# Then, if an LDAP record contains the following attributes:
#
# shared: domain1
# disableimap: 0
#
# Then authldap will initialize OPTIONS to #"sharedgroup=domain1,disableimap=0"
#
# NOTE: ** no spaces in this setting **, the above example has exactly
# one tab character after LDAP_AUXOPTIONS


##NAME: LDAP_ENUMERATE_FILTER:0
#
# {EXPERIMENTAL}
# Optional custom filter used when enumerating accounts for authenumerate,
# in order to compile a list of accounts for shared folders. If present,
# this filter will be used instead of LDAP_FILTER.
#
# LDAP_ENUMERATE_FILTER #(&(objectClass=CourierMailAccount)(!(disableshared=1)))


##NAME: LDAP_DEREF:0
#
# Determines how aliases are handled during a search. This option is available
# only with OpenLDAP 2.0
#
# LDAP_DEREF can be one of the following values:
# never, searching, finding, always. If not specified, aliases are
# never dereferenced.

LDAP_DEREF never

##NAME: LDAP_TLS:0
#
# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
# when the server accepts a normal LDAP connection on port 389 which
# the client then requests 'upgrading' to TLS, and is equivalent to the
# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
# set this option.
#
# For additional LDAP-related options, see the authdaemonrc config file.

LDAP_TLS 0

imap和pop設定檔因為怕版面太長,而且小弟完成沒有動到這兩個檔案,所以暫時不post上來了

錯誤訊息

May 12 16:32:42 mail courierpop3login: Connection, ip=[::ffff:10.0.88.51]
May 12 16:32:42 mail authdaemond: received auth request, service=pop3, authtype=login
May 12 16:32:42 mail authdaemond: authldap: trying this module
May 12 16:32:42 mail authdaemond: using search filter: (&(objectClass=inetOrgPerson)(uid=jc))
May 12 16:32:42 mail authdaemond: one entry returned, DN: uid=jc,ou=Users,dc=abc,dc=com,dc=tw
May 12 16:32:42 mail authdaemond: raw ldap entry returned:
May 12 16:32:42 mail authdaemond: | cn: jc
May 12 16:32:42 mail authdaemond: | uid: jc
May 12 16:32:42 mail authdaemond: | userPassword: {MD5}dpT0pmMW5TyM3Z2ZVL1hHQ==
May 12 16:32:42 mail authdaemond: authldaplib: refuse to authenticate jc: uid=0, gid=0 (zero uid or gid not permitted)
May 12 16:32:42 mail authdaemond: authldaplib: sysusername=<null>, sysuserid=0, sysgroupid=0, homedir=jc, address=jc, fullname=jc, maildir=<null>, quota=<null>, options=<null>
May 12 16:32:42 mail authdaemond: authldaplib: clearpasswd=<null>, passwd={MD5}dpT0pmMW5TyM3Z2ZVL1hHQ==
May 12 16:32:42 mail authdaemond: password matches successfully
May 12 16:32:42 mail authdaemond: authldap: TEMPFAIL - no more modules will be tried
May 12 16:32:42 mail courierpop3login: LOGIN FAILED, user=jc, ip=[::ffff:10.0.88.51]
May 12 16:32:42 mail courierpop3login: authentication error: Input/output error

[訪客]

May 12 16:32:42 mail authdaemond: authldaplib: refuse to authenticate jc: uid=0, gid=0 (zero uid or gid not permitted)

[kc19800322]

各位大大,我又修改authldaprc,把以下兩行註點取消掉
LDAP_UID uidNumber
LDAP_GID gidNumber
我不會出現authldaplib: refuse to authenticate jc: uid=0, gid=0 (zero uid or gid not permitted)

但我卻出現別的錯誤訊息,請各位大大幫忙看一下,謝謝!

錯誤訊息

May 13 20:28:56 mail courierpop3login: Connection, ip=[::ffff:10.0.88.51]
May 13 20:28:56 mail authdaemond: received auth request, service=pop3, authtype=login
May 13 20:28:56 mail authdaemond: authldap: trying this module
May 13 20:28:56 mail authdaemond: using search filter: (&(objectClass=inetOrgPerson)(uid=jc))
May 13 20:28:56 mail authdaemond: one entry returned, DN: uid=jc,ou=Users,dc=abc,dc=com,dc=tw
May 13 20:28:56 mail authdaemond: raw ldap entry returned:
May 13 20:28:56 mail authdaemond: | cn: jc
May 13 20:28:56 mail authdaemond: | uid: jc
May 13 20:28:56 mail authdaemond: | uidNumber: 1000
May 13 20:28:56 mail authdaemond: | gidNumber: 513
May 13 20:28:56 mail courierpop3login: jc: chdir(jc) failed!!
May 13 20:28:56 mail courierpop3login: error: No such file or directory
May 13 20:28:56 mail courierpop3login: LOGIN FAILED, user=jc, ip=[::ffff:10.0.88.51]
May 13 20:28:56 mail courierpop3login: authentication error: No such file or directory
May 13 20:28:56 mail authdaemond: | userPassword: {MD5}dpT0pmMW5TyM3Z2ZVL1hHQ==
May 13 20:28:56 mail authdaemond: authldaplib: sysusername=<null>, sysuserid=1000, sysgroupid=513, homedir=jc, address=jc, fullname=jc, maildir=<null>, quota=<null>, options=<null>
May 13 20:28:56 mail authdaemond: authldaplib: clearpasswd=<null>, passwd={MD5}dpT0pmMW5TyM3Z2ZVL1hHQ==
May 13 20:28:56 mail authdaemond: password matches successfully
May 13 20:28:56 mail authdaemond: Authenticated: sysusername=<null>, sysuserid=1000, sysgroupid=513, homedir=jc, address=jc, fullname=jc, maildir=<null>, quota=<null>, options=<null>
May 13 20:28:56 mail authdaemond: Authenticated: clearpasswd=q, passwd={MD5}dpT0pmMW5TyM3Z2ZVL1hHQ==

[訪客]

May 13 20:28:56 mail courierpop3login: jc: chdir(jc) failed!!
May 13 20:28:56 mail courierpop3login: error: No such file or directory
May 13 20:28:56 mail courierpop3login: LOGIN FAILED, user=jc, ip=[::ffff:10.0.88.51]
May 13 20:28:56 mail courierpop3login: authentication error: No such file or directory

[kc19800322]

訪客先生:
我不懂chdir(jc) failed,是什麼意思,是找不到mail放置的位址嗎,我不知道要去那裡設這個東西,可以請你告知嗎?

[訪客]

http://www.google.com.tw/search?q=couri ... =firefox-a

[kc19800322]

訪客先生:
那網址我有進去看過,還是不太了解,可以請你在提示一些嗎?
謝謝!

[kc19800322]

各位大大,我現在改用PAM去跟LDAP做認証,小弟用Dovecot-pop3d 採用Maildir格式去做POP3
用outlook收信卻是不行,好像是權限的問題,

-rw------- 1 dovecot Domain Users 1060 2008-05-21 20:19 1211372377.V304I128018M548
小弟登入的帳號是jc,但是Mail 的user 卻是dovecot,所以才會出現以下訊息

May 21 21:00:50 mail dovecot: POP3(jc): open(/home/jc/cur/1211372377.V304I128018M548444.mail:2,) failed: Permission denied

請問dovecot.conf 裡面那裡可以設定mail收進來的預設權限,或者可以指定 users或 group來收信,請各位大大幫忙一下!

這個postfix設定是指定 mail 的uid 和 gid

virtual_alias_maps = ldap:accounts,ldap:aliases
virtual_mailbox_base =/home/
virtual_mailbox_maps = ldap:mailbox
#virtual_transport = maildrop
virtual_uid_maps = static:107
virtual_gid_maps = static:513

這是Dovecot設定檔,因為怕太佔版面,只po有更動過的

protocols = imap pop3
listen = *
disable_plaintext_auth = no
mail_location = maildir:~/
##
## POP3 specific settings
##

protocol pop3 {
# Login executable location.
login_executable = /usr/lib/dovecot/pop3-login
pop3_uidl_format = %08Xu%08Xv
}
passdb pam {
args = session=yes *
# args = cache_key=%u dovecot
#args = dovecot
}

[kc19800322]

各位大大,小弟的問題算解決了
我在main.cf下設定一個檔案A,然後在檔案A上設定username和uid對應
然後讓postfix去抓他對應!
這個缺點就是你新增一個user就要去檔案A作一次對應,比較麻煩一點!