0002760: Auth fails for LDAP users via PAM

(0005118)
asmoore (reporter)
2008-01-31 18:17

Whose LDAP?

(0005119)
asmoore (reporter)
2008-01-31 18:20

Sorry, I meant to ask:
Whose ldap libraries?

(0005120)
laurent (developer)
2008-02-01 03:33

It\'s Solaris LDAP that are used by the system\'s PAM.
But I have to be clear, I have not configured Dovecot to use LDAP directly, and the version I built is not even linked with LDAP. I\'m only trying to use PAM here.

(0005123)
asmoore (reporter)
2008-02-03 09:45

Please test the dovecot_pam package at http://www.blastwave.org/testing [^] . It will be listed on the web page within the next hour or so.

You need to `pkgrm CSWdovecot`, download dovecot_pam for your architecture, gunzip the file and `pkgadd -d <filename>`

(0005124)
laurent (developer)
2008-02-04 04:12

I installed it, and a first test shows that a AM authenticated user now can log in. Thanks!

(0005125)
asmoore (reporter)
2008-02-04 06:47

For CSWdovecot-pam, I removed --with-ldap. Since you did not need --with-mysql, I removed that as well.

This proves that dovecot is doing something with the OpenLDAP linkage that breaks pam using Sun\'s ldap.

I do not know how to integrate CSWdovecot-pam within the blastwave packaging framework and rules/standards. I am working on it and may find an answer.

(0005126)
laurent (developer)
2008-02-04 07:26

FWIW, I\'d like to have both PAM and LDAP built in.
PAM is practical to make it work easily, however, we can\'t rule out switching to direct LDAP authentication in the future, while keeping any /etc/passwd account working.

(0005127)
asmoore (reporter)
2008-02-04 18:40

Yes, I have to keep OpenLDAP working with dovecot. I think that is a more typical way to setup virtual accounts.

I have used the current CSWdovecot package with pam and passwd/shadow accounts. It works fine.

(0005129)
laurent (developer)
2008-02-05 09:13

In my case, accounts are not completely virtual, some are really needed for login on the server, hence the need for PAM, at least now.

When you say it works, it means that you managed to have PAM work as expected using the unmodified Dovecot package? Could you show me a sample of your configuration files? In my case, I use the *same* configuration, and one binary works with PAM accounts, the other does not. Local accounts did work, though.

(0005130)
asmoore (reporter)
2008-02-05 18:37

Here is my /opt/csw/etc/dovecot.conf for passwd - files (not ldap). I removed the commented lines.

base_dir = /opt/csw/var/run/dovecot/
protocols = imap
shutdown_clients = yes
syslog_facility = mail
login_dir = /opt/csw/var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_per_connection = yes
login_processes_count = 3
login_max_processes_count = 128
login_max_connections = 256
default_mail_env = maildir:%h/Maildir:INDEX=/opt/csw/var/dovecot/indexes/%n
mail_full_filesystem_access = no
lock_method = fcntl
first_valid_uid = 100
last_valid_uid = 32766
mailbox_idle_check_interval = 30
protocol imap {
  login_executable = /opt/csw/libexec/dovecot/imap-login
  mail_executable = /opt/csw/libexec/dovecot/imap
}
auth_executable = /opt/csw/libexec/dovecot/dovecot-auth
auth_verbose = no
auth default {
  mechanisms = plain
  passdb pam {
    args = dovecot
  }
  userdb passwd {
  }
  user = root
}
plugin {
}

(0005147)
asmoore (reporter)
2008-02-24 11:05

Please see how this works for you. I have built dovecot twice and have only the one package available. I added /opt/csw/sbin/dovecot-pam.ldap to the package, as I think that this is all that is really needed. However, I have no way to test this. Packages are at http://www.blastwave.org/testing [^] for download and manual install.

Please confirm that this does or does not work for you. Here is the text that I added to README.CSW:
2008-02-24
If you are having trouble using pam with Solaris ldap naming services,
rename /opt/csw/sbin/dovecot to /opt/csw/sbin/dovecot.OFF and rename
/opt/csw/sbin/dovecot-pam.ldap to /opt/csw/sbin/dovecot and restart dovecot.

Thanks

(0005153)
laurent (developer)
2008-02-27 11:06

Sorry, I tried, but neither of them worked.

First did the pkgadd, I checked that the process had been restarted.
Then tried a login to a PAM LDAP account: it failed
Then did the following to replace the binary:
mv /opt/csw/sbin/dovecot /opt/csw/sbin/dovecot.OFF
mv /opt/csw/sbin/dovecot-pam.ldap /opt/csw/sbin/dovecot
svcadm restart cswdovecot
I checked it was restarted, tried the same login: failur again.

I removed the package, put back the previous testing one, and it worked again.

(0005155)
asmoore (reporter)
2008-02-28 06:46

Thanks for trying. Sorry, I do not know how to fix this, since I do not see how to merge the two packages and end up with two binaries that work differently.

(0005156)
laurent (developer)
2008-02-28 07:47

It sounds very much like there is a bug in Dovecot, though. LDAP and PAM should both work together. Can you send me the details of your build configuration? I can try to reproduce it and get it fixed by the Dovecot developer.

(0005158)
asmoore (reporter)
2008-02-29 06:55

I agree. To build, source the following options, source myconfigure (these are in a file), run gmake and gmake install.

I noticed the addtion of -lldap -llber to LDFLAGS. That may be carried over from an earlier dovecot release and not be needed anymore. To see if this is causing the problem, I did a build without \'-lldap -llber\' and put the package at http://www.blastwave.org/testing [^]

The update should be on the web page list within the half hour. Please test this package before going to Timo.

# \'compiler and linker flags\'
#!/usr/bin/sh
LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\'
LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap -llber\'
CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\'
CFLAGS=\'-O -xarch=v8\'
export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS
CC=/opt/studio/SOS8/SUNWspro/bin/cc
CXX=/opt/studio/SOS8/SUNWspro/bin/CC
F77=/opt/studio/SOS8/SUNWspro/bin/f77
export CC CXX F77
PKG_CONFIG_PATH=/opt/csw/lib
export PKG_CONFIG_PATH

#!/usr/bin/sh
./configure \\
    --prefix=/opt/csw \\
    --mandir=/opt/csw/share/man \\
    --with-libiconv-prefix=/opt/csw \\
    --with-shadow \\
    --with-pam \\
    --with-ldap \\
    --with-ssl=openssl \\
    --with-ssldir=/opt/csw/ssl \\
    --with-mysql \\
    --enable-header-install \\
    --with-gssapi

(0005160)
laurent (developer)
2008-03-03 10:10

Still not working with the latest package, so it\'s now the compile road for me, hope I\'ll reproduce the problem, I\'d rather use the Blastwave package than my own.

(0005161)
laurent (developer)
2008-03-03 10:53

Only a sidenote, I\'ve just done the configure, against the same /opt/csw where the dovecot package and its dependencies were pulled.

I noted that the following is given to ./configure:
--with-gssapi

But it doesn\'t actually work:
Building with GSSAPI support ........ : no

(0005162)
laurent (developer)
2008-03-04 05:46

Okay, after more testing, the conclusion is that linking Dovecot against OpenLDAP breaks the PAM LDAP. When it\'s linked against Solaris LDAP libs, it works (I haven\'t tried using LDAP directly, though).
I built using your environment, against Blastwave libs, with very little changes.
I suppose it\'s some kind of LDAP function override by the OpenLDAP library at runtime.
So now the question is, is that something you can fix, or is it up to Timo? I\'d wager it\'s the latter, but I\'m not completely sure.

Compilation details:

First, using OpenLDAP:
export PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/opt/SUNWspro/bin

LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\'
CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\'
LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap -llber\'

CFLAGS=\'-O -xarch=v8\'
export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS
CC=/opt/SUNWspro/bin/cc
CXX=/opt/SUNWspro/bin/CC
F77=/opt/SUNWspro/bin/f77
export CC CXX F77
PKG_CONFIG_PATH=/opt/csw/lib
export PKG_CONFIG_PATH

./configure \\
    --prefix=/usr/local/dovecot-1.0.10_test \\
    --mandir=/opt/csw/share/man \\
    --with-libiconv-prefix=/opt/csw \\
    --with-shadow \\
    --with-pam \\
    --with-ldap \\
    --with-mysql \\
    --with-ssl=openssl \\
    --with-ssldir=/opt/csw/ssl \\
    --enable-header-install \\
    --with-gssapi
make
make install

# ldd /usr/local/dovecot-1.0.10_test/sbin/dovecot
        libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0
        liblber-2.3.so.0 => /opt/csw/lib/sparcv8/liblber-2.3.so.0
        libsocket.so.1 => /lib/libsocket.so.1
        libnsl.so.1 => /lib/libnsl.so.1
        librt.so.1 => /lib/librt.so.1
        libsendfile.so.1 => /lib/libsendfile.so.1
        libc.so.1 => /lib/libc.so.1
        libresolv.so.2 => /lib/libresolv.so.2
        libgen.so.1 => /lib/libgen.so.1
        libnet.so => /opt/csw/lib/sparcv8/libnet.so
        libsasl2.so.2 => /opt/csw/lib/sparcv8/libsasl2.so.2
        libssl.so.0.9.8 => /opt/csw/lib/sparcv8plus+vis/libssl.so.0.9.8
        libcrypto.so.0.9.8 => /opt/csw/lib/sparcv8plus+vis/libcrypto.so.0.9.8 libmp.so.2 => /lib/libmp.so.2
        libmd5.so.1 => /lib/libmd5.so.1
        libscf.so.1 => /lib/libscf.so.1
        libaio.so.1 => /lib/libaio.so.1
        libdl.so.1 => /lib/libdl.so.1
        libdoor.so.1 => /lib/libdoor.so.1
        libuutil.so.1 => /lib/libuutil.so.1
        libm.so.2 => /lib/libm.so.2
        /platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
        /platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1

Then to use Sun LDAP, I removed the Blastwave OpenLDAP packages, and only -llber from the build environment:

pkgrm CSWoldapclient CSWoldaprt
export PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/opt/SUNWspro/bin

LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\'
CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\'
LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap\'

CFLAGS=\'-O -xarch=v8\'
export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS
CC=/opt/SUNWspro/bin/cc
CXX=/opt/SUNWspro/bin/CC
F77=/opt/SUNWspro/bin/f77
export CC CXX F77
PKG_CONFIG_PATH=/opt/csw/lib
export PKG_CONFIG_PATH

./configure \\
    --prefix=/usr/local/dovecot-1.0.10_test_sunldap \\
    --mandir=/opt/csw/share/man \\
    --with-libiconv-prefix=/opt/csw \\
    --with-shadow \\
    --with-pam \\
    --with-ldap \\
    --with-mysql \\
    --with-ssl=openssl \\
    --with-ssldir=/opt/csw/ssl \\
    --enable-header-install \\
    --with-gssapi
make
make install

# ldd /usr/local/dovecot-1.0.10_test_sunldap/sbin/dovecot
        libldap.so.5 => /usr/lib/libldap.so.5
        libsocket.so.1 => /lib/libsocket.so.1
        libnsl.so.1 => /lib/libnsl.so.1
        librt.so.1 => /lib/librt.so.1
        libsendfile.so.1 => /lib/libsendfile.so.1
        libc.so.1 => /lib/libc.so.1
        libsasl.so.1 => /usr/lib/libsasl.so.1
        libmd5.so.1 => /lib/libmd5.so.1
        libnspr4.so => /usr/lib/mps/libnspr4.so
        libplc4.so => /usr/lib/mps/libplc4.so
        libnss3.so => /usr/lib/mps/libnss3.so
        libssl3.so => /usr/lib/mps/libssl3.so
        libmp.so.2 => /lib/libmp.so.2
        libscf.so.1 => /lib/libscf.so.1
        libaio.so.1 => /lib/libaio.so.1
        libpthread.so.1 => /lib/libpthread.so.1
        libthread.so.1 => /lib/libthread.so.1
        libdl.so.1 => /lib/libdl.so.1
        libsoftokn3.so => /usr/lib/mps/libsoftokn3.so
        libplds4.so => /usr/lib/mps/libplds4.so
        libdoor.so.1 => /lib/libdoor.so.1
        libuutil.so.1 => /lib/libuutil.so.1
        libgen.so.1 => /lib/libgen.so.1
        libbsm.so.1 => /lib/libbsm.so.1
        libsecdb.so.1 => /lib/libsecdb.so.1
        libtsol.so.2 => /lib/libtsol.so.2
        libcmd.so.1 => /lib/libcmd.so.1
        libm.so.2 => /lib/libm.so.2
        /platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
        /platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1
        /usr/lib/mps/cpu/sparcv8plus/libnspr_flt4.so

Each time, the dovecot binary was linked to /opt/csw/sbin/dovecot, and the cswdovecot service restarted, using always the same /opt/csw/etc/dovecot.conf file.

(0005163)
asmoore (reporter)
2008-03-04 07:16

I am not sure, but I doubt either of us can fix this. That is why I built dovecot-pam without OpenLDAP to prove that OpenLDAP bindings were the problem. The next package tried to determine which binary needed to be switched by adding /opt/csw/sbin/dovecot-pam for you to rename.

I do not mind building dovecot twice, but I need to have only one package since I cannot duplicate filenames across packages.

The best option is to determine which binaries needs to be switched. Assuming it is that simple. Let me make another package that includes some files to rename.

(0005177)
laurent (developer)
2008-03-07 10:42

The strange thing is, when you provided me with the testing package including two binaries, neither of them worked as I reported above, when the one without LDAP should have...

(0005178)
asmoore (reporter)
2008-03-07 18:02

Now I am confused. I have copied text from above for verification. This test was done with a dovecot package built without OpenLDAP at all.

------copied
-----------------------------------------------------------------------
laurent - 2008-02-04 04:12 EST
-----------------------------------------------------------------------
I installed it, and a first test shows that a AM authenticated user now can
log in. Thanks!

------end of copied text

If that package actually did Not work, then I am at a loss for what to do.

(0005179)
laurent (developer)
2008-03-10 11:33

I was referring to your message from 2008-02-24 11:05, in which you said:

====
I have built dovecot twice and have only the one package available. I added /opt/csw/sbin/dovecot-pam.ldap to the package, as I think that this is all that is really needed.
====

And *that* didn\'t work, as I pointed out below. I believe it might be because /opt/csw/libexec/dovecot binaries also contains references to libldap:

imap:
libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0

imap-login:
libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0

So including an alternative, OpenLDAP-free version doesn\'t seem to be that simple.

(0005181)
asmoore (reporter)
2008-03-10 19:06

Yes, I agree that the problem is all of the other files that still have the link to OpenLDAP.

One option is for me to create something like this. A core package dovecot_core which does not include any files from the following packages, then a dovecot bin package with OpenLDAP dovecot (the old one), and finally, a dovecot bin package without OpenLDAP that is named dovecot_pam. Both packages would depend on dovecot_core. dovecot_core would have no files linked with OpenLDAP.

This will make more sense when I have the install scripts correct. I started working on this a few days ago. When I am ready, I will let you know.

(0005185)
laurent (developer)
2008-03-11 05:23

Okay, sounds good, I\'ll try it as soon as it\'s ready!

(0005779)
skayser (administrator)
2009-03-29 13:11

CSWdovecot has a new maintainer and an updated dovecot version (1.1.11) has been published to current.

I have successfully tested this new package on Solaris 10 x86 with dovecot authenticating users directly against LDAP (Sun DS 6.3) as well as via PAM LDAP. Could you please verify that the updated package addresses your authentication problems also.

(0006097)
skayser (administrator)
2009-05-11 00:14

No feedback since last update, assuming problem is fixed. Feel free to re-open if necessary. Thanks for reporting in the first place.

Notes
(0005118) asmoore (reporter) 2008-01-31 18:17	Whose LDAP?

(0005119) asmoore (reporter) 2008-01-31 18:20	Sorry, I meant to ask: Whose ldap libraries?

(0005120) laurent (developer) 2008-02-01 03:33	It\'s Solaris LDAP that are used by the system\'s PAM. But I have to be clear, I have not configured Dovecot to use LDAP directly, and the version I built is not even linked with LDAP. I\'m only trying to use PAM here.

(0005123) asmoore (reporter) 2008-02-03 09:45	Please test the dovecot_pam package at http://www.blastwave.org/testing [^] . It will be listed on the web page within the next hour or so. You need to `pkgrm CSWdovecot`, download dovecot_pam for your architecture, gunzip the file and `pkgadd -d <filename>`

(0005124) laurent (developer) 2008-02-04 04:12	I installed it, and a first test shows that a AM authenticated user now can log in. Thanks!

(0005125) asmoore (reporter) 2008-02-04 06:47	For CSWdovecot-pam, I removed --with-ldap. Since you did not need --with-mysql, I removed that as well. This proves that dovecot is doing something with the OpenLDAP linkage that breaks pam using Sun\'s ldap. I do not know how to integrate CSWdovecot-pam within the blastwave packaging framework and rules/standards. I am working on it and may find an answer.

(0005126) laurent (developer) 2008-02-04 07:26	FWIW, I\'d like to have both PAM and LDAP built in. PAM is practical to make it work easily, however, we can\'t rule out switching to direct LDAP authentication in the future, while keeping any /etc/passwd account working.

(0005127) asmoore (reporter) 2008-02-04 18:40	Yes, I have to keep OpenLDAP working with dovecot. I think that is a more typical way to setup virtual accounts. I have used the current CSWdovecot package with pam and passwd/shadow accounts. It works fine.

(0005129) laurent (developer) 2008-02-05 09:13	In my case, accounts are not completely virtual, some are really needed for login on the server, hence the need for PAM, at least now. When you say it works, it means that you managed to have PAM work as expected using the unmodified Dovecot package? Could you show me a sample of your configuration files? In my case, I use the same configuration, and one binary works with PAM accounts, the other does not. Local accounts did work, though.

(0005130) asmoore (reporter) 2008-02-05 18:37	Here is my /opt/csw/etc/dovecot.conf for passwd - files (not ldap). I removed the commented lines. base_dir = /opt/csw/var/run/dovecot/ protocols = imap shutdown_clients = yes syslog_facility = mail login_dir = /opt/csw/var/run/dovecot/login login_chroot = yes login_user = dovecot login_process_per_connection = yes login_processes_count = 3 login_max_processes_count = 128 login_max_connections = 256 default_mail_env = maildir:%h/Maildir:INDEX=/opt/csw/var/dovecot/indexes/%n mail_full_filesystem_access = no lock_method = fcntl first_valid_uid = 100 last_valid_uid = 32766 mailbox_idle_check_interval = 30 protocol imap { login_executable = /opt/csw/libexec/dovecot/imap-login mail_executable = /opt/csw/libexec/dovecot/imap } auth_executable = /opt/csw/libexec/dovecot/dovecot-auth auth_verbose = no auth default { mechanisms = plain passdb pam { args = dovecot } userdb passwd { } user = root } plugin { }

(0005147) asmoore (reporter) 2008-02-24 11:05	Please see how this works for you. I have built dovecot twice and have only the one package available. I added /opt/csw/sbin/dovecot-pam.ldap to the package, as I think that this is all that is really needed. However, I have no way to test this. Packages are at http://www.blastwave.org/testing [^] for download and manual install. Please confirm that this does or does not work for you. Here is the text that I added to README.CSW: 2008-02-24 If you are having trouble using pam with Solaris ldap naming services, rename /opt/csw/sbin/dovecot to /opt/csw/sbin/dovecot.OFF and rename /opt/csw/sbin/dovecot-pam.ldap to /opt/csw/sbin/dovecot and restart dovecot. Thanks

(0005153) laurent (developer) 2008-02-27 11:06	Sorry, I tried, but neither of them worked. First did the pkgadd, I checked that the process had been restarted. Then tried a login to a PAM LDAP account: it failed Then did the following to replace the binary: mv /opt/csw/sbin/dovecot /opt/csw/sbin/dovecot.OFF mv /opt/csw/sbin/dovecot-pam.ldap /opt/csw/sbin/dovecot svcadm restart cswdovecot I checked it was restarted, tried the same login: failur again. I removed the package, put back the previous testing one, and it worked again.

(0005155) asmoore (reporter) 2008-02-28 06:46	Thanks for trying. Sorry, I do not know how to fix this, since I do not see how to merge the two packages and end up with two binaries that work differently.

(0005156) laurent (developer) 2008-02-28 07:47	It sounds very much like there is a bug in Dovecot, though. LDAP and PAM should both work together. Can you send me the details of your build configuration? I can try to reproduce it and get it fixed by the Dovecot developer.

(0005158) asmoore (reporter) 2008-02-29 06:55	I agree. To build, source the following options, source myconfigure (these are in a file), run gmake and gmake install. I noticed the addtion of -lldap -llber to LDFLAGS. That may be carried over from an earlier dovecot release and not be needed anymore. To see if this is causing the problem, I did a build without \'-lldap -llber\' and put the package at http://www.blastwave.org/testing [^] The update should be on the web page list within the half hour. Please test this package before going to Timo. # \'compiler and linker flags\' #!/usr/bin/sh LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\' LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap -llber\' CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\' CFLAGS=\'-O -xarch=v8\' export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS CC=/opt/studio/SOS8/SUNWspro/bin/cc CXX=/opt/studio/SOS8/SUNWspro/bin/CC F77=/opt/studio/SOS8/SUNWspro/bin/f77 export CC CXX F77 PKG_CONFIG_PATH=/opt/csw/lib export PKG_CONFIG_PATH #!/usr/bin/sh ./configure \\ --prefix=/opt/csw \\ --mandir=/opt/csw/share/man \\ --with-libiconv-prefix=/opt/csw \\ --with-shadow \\ --with-pam \\ --with-ldap \\ --with-ssl=openssl \\ --with-ssldir=/opt/csw/ssl \\ --with-mysql \\ --enable-header-install \\ --with-gssapi

(0005160) laurent (developer) 2008-03-03 10:10	Still not working with the latest package, so it\'s now the compile road for me, hope I\'ll reproduce the problem, I\'d rather use the Blastwave package than my own.

(0005161) laurent (developer) 2008-03-03 10:53	Only a sidenote, I\'ve just done the configure, against the same /opt/csw where the dovecot package and its dependencies were pulled. I noted that the following is given to ./configure: --with-gssapi But it doesn\'t actually work: Building with GSSAPI support ........ : no

(0005162) laurent (developer) 2008-03-04 05:46	Okay, after more testing, the conclusion is that linking Dovecot against OpenLDAP breaks the PAM LDAP. When it\'s linked against Solaris LDAP libs, it works (I haven\'t tried using LDAP directly, though). I built using your environment, against Blastwave libs, with very little changes. I suppose it\'s some kind of LDAP function override by the OpenLDAP library at runtime. So now the question is, is that something you can fix, or is it up to Timo? I\'d wager it\'s the latter, but I\'m not completely sure. Compilation details: First, using OpenLDAP: export PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/opt/SUNWspro/bin LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\' CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\' LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap -llber\' CFLAGS=\'-O -xarch=v8\' export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS CC=/opt/SUNWspro/bin/cc CXX=/opt/SUNWspro/bin/CC F77=/opt/SUNWspro/bin/f77 export CC CXX F77 PKG_CONFIG_PATH=/opt/csw/lib export PKG_CONFIG_PATH ./configure \\ --prefix=/usr/local/dovecot-1.0.10_test \\ --mandir=/opt/csw/share/man \\ --with-libiconv-prefix=/opt/csw \\ --with-shadow \\ --with-pam \\ --with-ldap \\ --with-mysql \\ --with-ssl=openssl \\ --with-ssldir=/opt/csw/ssl \\ --enable-header-install \\ --with-gssapi make make install # ldd /usr/local/dovecot-1.0.10_test/sbin/dovecot libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0 liblber-2.3.so.0 => /opt/csw/lib/sparcv8/liblber-2.3.so.0 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 librt.so.1 => /lib/librt.so.1 libsendfile.so.1 => /lib/libsendfile.so.1 libc.so.1 => /lib/libc.so.1 libresolv.so.2 => /lib/libresolv.so.2 libgen.so.1 => /lib/libgen.so.1 libnet.so => /opt/csw/lib/sparcv8/libnet.so libsasl2.so.2 => /opt/csw/lib/sparcv8/libsasl2.so.2 libssl.so.0.9.8 => /opt/csw/lib/sparcv8plus+vis/libssl.so.0.9.8 libcrypto.so.0.9.8 => /opt/csw/lib/sparcv8plus+vis/libcrypto.so.0.9.8 libmp.so.2 => /lib/libmp.so.2 libmd5.so.1 => /lib/libmd5.so.1 libscf.so.1 => /lib/libscf.so.1 libaio.so.1 => /lib/libaio.so.1 libdl.so.1 => /lib/libdl.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libm.so.2 => /lib/libm.so.2 /platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1 /platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1 Then to use Sun LDAP, I removed the Blastwave OpenLDAP packages, and only -llber from the build environment: pkgrm CSWoldapclient CSWoldaprt export PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/opt/SUNWspro/bin LD_OPTIONS=\'-R/opt/csw/lib/$ISALIST:/opt/csw/mysql5/lib/mysql/$ISALIST\' CPPFLAGS=\'-I/opt/csw/include -I/opt/csw/mysql5/include/mysql\' LDFLAGS=\'-L/opt/csw/lib -L/opt/csw/mysql5/lib/mysql -lldap\' CFLAGS=\'-O -xarch=v8\' export LD_OPTIONS LDFLAGS CPPFLAGS CFLAGS CC=/opt/SUNWspro/bin/cc CXX=/opt/SUNWspro/bin/CC F77=/opt/SUNWspro/bin/f77 export CC CXX F77 PKG_CONFIG_PATH=/opt/csw/lib export PKG_CONFIG_PATH ./configure \\ --prefix=/usr/local/dovecot-1.0.10_test_sunldap \\ --mandir=/opt/csw/share/man \\ --with-libiconv-prefix=/opt/csw \\ --with-shadow \\ --with-pam \\ --with-ldap \\ --with-mysql \\ --with-ssl=openssl \\ --with-ssldir=/opt/csw/ssl \\ --enable-header-install \\ --with-gssapi make make install # ldd /usr/local/dovecot-1.0.10_test_sunldap/sbin/dovecot libldap.so.5 => /usr/lib/libldap.so.5 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 librt.so.1 => /lib/librt.so.1 libsendfile.so.1 => /lib/libsendfile.so.1 libc.so.1 => /lib/libc.so.1 libsasl.so.1 => /usr/lib/libsasl.so.1 libmd5.so.1 => /lib/libmd5.so.1 libnspr4.so => /usr/lib/mps/libnspr4.so libplc4.so => /usr/lib/mps/libplc4.so libnss3.so => /usr/lib/mps/libnss3.so libssl3.so => /usr/lib/mps/libssl3.so libmp.so.2 => /lib/libmp.so.2 libscf.so.1 => /lib/libscf.so.1 libaio.so.1 => /lib/libaio.so.1 libpthread.so.1 => /lib/libpthread.so.1 libthread.so.1 => /lib/libthread.so.1 libdl.so.1 => /lib/libdl.so.1 libsoftokn3.so => /usr/lib/mps/libsoftokn3.so libplds4.so => /usr/lib/mps/libplds4.so libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 libbsm.so.1 => /lib/libbsm.so.1 libsecdb.so.1 => /lib/libsecdb.so.1 libtsol.so.2 => /lib/libtsol.so.2 libcmd.so.1 => /lib/libcmd.so.1 libm.so.2 => /lib/libm.so.2 /platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1 /platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1 /usr/lib/mps/cpu/sparcv8plus/libnspr_flt4.so Each time, the dovecot binary was linked to /opt/csw/sbin/dovecot, and the cswdovecot service restarted, using always the same /opt/csw/etc/dovecot.conf file.

(0005163) asmoore (reporter) 2008-03-04 07:16	I am not sure, but I doubt either of us can fix this. That is why I built dovecot-pam without OpenLDAP to prove that OpenLDAP bindings were the problem. The next package tried to determine which binary needed to be switched by adding /opt/csw/sbin/dovecot-pam for you to rename. I do not mind building dovecot twice, but I need to have only one package since I cannot duplicate filenames across packages. The best option is to determine which binaries needs to be switched. Assuming it is that simple. Let me make another package that includes some files to rename.

(0005177) laurent (developer) 2008-03-07 10:42	The strange thing is, when you provided me with the testing package including two binaries, neither of them worked as I reported above, when the one without LDAP should have...

(0005178) asmoore (reporter) 2008-03-07 18:02	Now I am confused. I have copied text from above for verification. This test was done with a dovecot package built without OpenLDAP at all. ------copied ----------------------------------------------------------------------- laurent - 2008-02-04 04:12 EST ----------------------------------------------------------------------- I installed it, and a first test shows that a AM authenticated user now can log in. Thanks! ------end of copied text If that package actually did Not work, then I am at a loss for what to do.

(0005179) laurent (developer) 2008-03-10 11:33	I was referring to your message from 2008-02-24 11:05, in which you said: ==== I have built dovecot twice and have only the one package available. I added /opt/csw/sbin/dovecot-pam.ldap to the package, as I think that this is all that is really needed. ==== And that didn\'t work, as I pointed out below. I believe it might be because /opt/csw/libexec/dovecot binaries also contains references to libldap: imap: libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0 imap-login: libldap-2.3.so.0 => /opt/csw/lib/sparcv8/libldap-2.3.so.0 So including an alternative, OpenLDAP-free version doesn\'t seem to be that simple.

(0005181) asmoore (reporter) 2008-03-10 19:06	Yes, I agree that the problem is all of the other files that still have the link to OpenLDAP. One option is for me to create something like this. A core package dovecot_core which does not include any files from the following packages, then a dovecot bin package with OpenLDAP dovecot (the old one), and finally, a dovecot bin package without OpenLDAP that is named dovecot_pam. Both packages would depend on dovecot_core. dovecot_core would have no files linked with OpenLDAP. This will make more sense when I have the install scripts correct. I started working on this a few days ago. When I am ready, I will let you know.

(0005185) laurent (developer) 2008-03-11 05:23	Okay, sounds good, I\'ll try it as soon as it\'s ready!

(0005779) skayser (administrator) 2009-03-29 13:11	CSWdovecot has a new maintainer and an updated dovecot version (1.1.11) has been published to current. I have successfully tested this new package on Solaris 10 x86 with dovecot authenticating users directly against LDAP (Sun DS 6.3) as well as via PAM LDAP. Could you please verify that the updated package addresses your authentication problems also.

(0006097) skayser (administrator) 2009-05-11 00:14	No feedback since last update, assuming problem is fixed. Feel free to re-open if necessary. Thanks for reporting in the first place.

Relationships

OpenCSW Bug Tracker