Difference between revisions of "HowTos/Using OpenLDAP for password management"

From Scalix Wiki
Jump to: navigation, search
(OpenLDAP 2.2 integration with Scalix 10)
(- Added ACLs to slapd.conf\n-Little cleanup)
 
(47 intermediate revisions by 11 users not shown)
Line 1: Line 1:
== OpenLDAP 2.2 integration with Scalix 10 ==
+
[[Scalix Wiki]] -> [[How-Tos]] -> '''OpenLDAP'''
 +
 
 +
== Installing OpenLDAP  ==
  
 
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.  
 
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.  
 +
 +
'''The references to scalix.com in this how-to should be replaced with your domain information!'''
  
 
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.  
 
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.  
Line 29: Line 33:
 
</pre>
 
</pre>
  
How do you generate the SHA password? Easy: Use this perl script:
+
To allow each user to change his own password from Microsoft Outlook or SWA interface, also add:
 +
 
 +
<pre>
 +
access to attrs=userPassword
 +
        by anonymous auth
 +
        by self write
 +
        by * none
 +
access to *
 +
        by self write
 +
        by * none
 +
</pre>
 +
 
 +
How do you generate the SHA password? Easy, use the slappasswd command:
 +
 
 +
<pre>
 +
/usr/sbin/slappasswd
 +
</pre>
 +
 
 +
or this perl script:
  
 
<pre>
 
<pre>
Line 43: Line 65:
 
$pass->add('salt');
 
$pass->add('salt');
 
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
 
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
 
 
</pre>
 
</pre>
  
Line 50: Line 71:
 
<pre>
 
<pre>
 
rcldap start
 
rcldap start
 +
</pre>
  
 
or
 
or
  
 +
<pre>
 
service ldap start
 
service ldap start
 
</pre>
 
</pre>
  
== Password management with OpenLDAP ==
+
If the slapd.conf file was edited correctly, OpenLDAP should now be running. To verify the domain was entered
 +
correctly, execute the following command:
 +
 
 +
<pre><nowiki>ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts</nowiki></pre>
 +
 
 +
That should output the following:
 +
<pre>
 +
#
 +
# filter: (objectclass=*)
 +
# requesting: namingContexts
 +
#
 +
#
 +
dn:
 +
namingContexts: dc=scalix,dc=com
 +
# search result
 +
search: 2
 +
result: 0 Success
 +
# numResponses: 2
 +
# numEntries: 1
 +
</pre>
 +
where the namingContexts should contain your domain.
 +
 
 +
Next, create a file called load.ldif file for importing. '''The references to scalix.com should be replaced with your domain information.''' In addition, you’ll need to
 +
change the user information for Helmut Kohl to be valid information for one of your users.
 +
 
 +
Try this ldif file:
 +
 
 +
<pre>
 +
dn: dc=scalix,dc=com
 +
dc: scalix
 +
objectClass: top
 +
objectClass: domain
 +
 
 +
dn: ou=People,dc=scalix,dc=com
 +
ou: People
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
 
 +
dn: uid=hkohl, ou=people, dc=scalix, dc=com
 +
objectclass: top
 +
objectclass: person
 +
objectClass: organizationalPerson
 +
objectClass: inetOrgPerson
 +
uid: hkohl
 +
userPassword: {SSHA}yI6cZwQadOA1e+/f+T+H3eCQQhRzYWx0
 +
cn: Helmut Kohl
 +
sn: Kohl
 +
gn: Helmut
 +
</pre>
 +
Now, import the initial .ldif file using the ldapadd command:
 +
<pre>
 +
ldapadd -x -D "cn=Manager,dc=scalix,dc=com" -W -f load.ldif
 +
</pre>
 +
 
 +
Next, perform an ldapsearch, to verify that the user was imported.
 +
<pre>
 +
ldapsearch -xh pdxsrv.scalix.com -b dc=scalix,dc=com
 +
</pre>
 +
 
 +
The output should yield the ldap entry loaded above. You now have one user loaded in OpenLDAP with whatever
 +
password you chose. If the user is not already in Scalix, you should add it now. The Scalix Authentication ID needs to
 +
match the LDAP uid field. To add the user to Scalix, use the omaddu command as follows:
 +
 
 +
<pre>omaddu -n "Helmut Kohl/mailnode" -p password hkohl</pre>
 +
 
 +
If the user already exists in Scalix, you can verify the Authentication ID using the omshowu command:
 +
<pre>omshowu –n “Helmut Kohl/mailnode”</pre>
 +
 
 +
the output will look something like:
 +
<pre>
 +
pdxsrv01:/var/opt/scalix/sys/pam.d # omshowu "Helmut Kohl"
 +
Authentication ID: hkohl
 +
User Name : Helmut Kohl /CN=Helmut Kohl
 +
MailNode : pdxsrv01
 +
Internet Address : "Helmut Kohl" <Helmut.Kohl@scalix.com>
 +
System Login : 60535
 +
Password : set
 +
Admin Capabilities : NO
 +
Mailbox Admin Capabilities : NO
 +
Language : C
 +
Virtual Vault : Enabled (default)
 +
Mail Account: Unlocked
 +
Last Signon : 02.10.06 11:13:50
 +
Receipt of mail : ENABLED
 +
Service level : 0
 +
Excluded from Tidying : NO
 +
User Class : Limited
 +
pdxsrv01:/var/opt/scalix/sys/pam.d #
 +
</pre>
 +
 
 +
If the Authentication ID is not the same as the uid, you will need to use the ommodu command to change it:
 +
<pre>
 +
ommodu –o “Helmut Kohl/mailnode” –authid hkohl
 +
</pre>
 +
 
 +
== Configuring PAM ==
 +
 
 +
On your Scalix server you will need to edit /etc/ldap.conf to configure pam_ldap. Edit the file and change the following entries:
 +
<pre>
 +
# Your LDAP server. Must be resolvable without using LDAP.
 +
host pdxsrv.scalix.com
 +
 
 +
# The distinguished name of the search base.
 +
base dc=scalix,dc=com
 +
 
 +
# The LDAP version to use (defaults to 3
 +
# if supported by client library)
 +
ldap_version 3
 +
 
 +
# The distinguished name to bind to the server with.
 +
# Optional: default is to bind anonymously.
 +
binddn cn=Manager,dc=scalix,dc=com
 +
 
 +
# The credentials to bind with.
 +
# Optional: default is no credential.
 +
bindpw password
 +
</pre>
 +
 
 +
Pretty important is that if you do not have SSL configured for your LDAP server, you must disable it in ldap.conf:
 +
 
 +
<pre>
 +
# OpenLDAP SSL mechanism
 +
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 +
#ssl start_tls
 +
#ssl on
 +
</pre>
 +
 
 +
== Configuring Scalix ==
 +
 
 +
Here are the Scalix files that you will need to change for a typical SWA / Outlook setup. Create any that do not exist.
 +
 
 +
<pre>
 +
/var/opt/scalix/sys/om_ldap.conf
 +
/var/opt/scalix/sys/pam.d/ual.remote
 +
/var/opt/scalix/sys/pam.d/pamcheck
 +
/var/opt/scalix/sys/pam.d/smtpd.auth
 +
/var/opt/scalix/sys/pam.d/pop3
 +
/var/opt/scalix/sys/pam.d/omslapdeng
 +
</pre>
 +
 
 +
Typically, all files should have the same contents with the exception of om_ldap.conf and pamcheck
 +
 
 +
<pre>
 +
auth    required om_om2authid
 +
auth    sufficient /lib/security/pam_ldap.so ignore_unknown_user
 +
auth    sufficient om_auth use_first_pass
 +
auth required pam_deny
 +
account sufficient om_auth
 +
account required /lib/security/pam_ldap.so
 +
password required om_auth preauth
 +
password required om_om2authid
 +
password required /lib/security/pam_ldap.so
 +
session required /lib/security/pam_ldap.so
 +
</pre>
 +
 
 +
/var/opt/scalix/sys/om_ldap.conf contains the OpenLDAP configuration data, e.g.:
 +
 
 +
<pre>
 +
host=pdxsrv.scalix.com
 +
search=subtree
 +
base=ou=people,dc=scalix,dc=com
 +
filter=uid=%s
 +
tls=off
 +
</pre>
 +
 
 +
The "tls=off" is pretty important, we'll get to that later.
 +
 
 +
== sxpamauth ==
 +
 
 +
Next, cd to /var/opt/scalix/sys/pam.d and edit pamcheck:
 +
 
 +
<pre>
 +
auth required om_debug
 +
account required om_debug
 +
session required om_debug
 +
password required om_debug
 +
auth    required om_om2authid
 +
auth    required /lib/security/pam_ldap.so
 +
account required /lib/security/pam_ldap.so
 +
password required om_om2authid
 +
password required /lib/security/pam_ldap.so
 +
session required /lib/security/pam_ldap.so
 +
</pre>
 +
 
 +
This configuration will allow you to use both Scalix password authentication and LDAP password authentication.Additionally, it will give you error logging that is helpful when trying to find configuration mistakes.
 +
 
 +
NOTE: Not fully tested solution
 +
<br>
 +
If you want to use only openldap authentications for pop3 access just remove these lines
 +
<pre>
 +
auth    sufficient om_auth use_first_pass
 +
account sufficient om_auth
 +
</pre>
 +
from pop3, and line
 +
<pre>
 +
auth    sufficient om_auth use_first_pass
 +
</pre>
 +
from file ual.remote
 +
 
 +
Ensure that the file /lib/security/pam_ldap.so exists. If it doesn't, you forgot to install the pam_ldap package and/or nssldap package as mentioned at the top.
 +
 
 +
OK, once you have edited all configuration files, restart the server using
 +
 
 +
<pre>
 +
omshut
 +
omrc
 +
</pre>
 +
 
 +
After the server has come back up, try using a client to connect to the server or use sxpamauth to check authentication:
 +
 
  
OpenLDAP installation
+
pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth.
  
At the end of the How-To, this is what you want to see:
 
 
<pre>
 
<pre>
 
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
 
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
Line 69: Line 300:
  
 
Authenticated
 
Authenticated
 +
pdxsrv01:/var/opt/scalix/sys/pam.d #
 +
</pre>
 +
 +
For MAPI and IMAP users, copy pamcheck over ual.remote and make sure both files contain the same configuration as above.
 +
 +
== sxpampasswd ==
 +
 +
The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.:
 +
 +
<pre>
 
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
 
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
 
pam_start_om("pamcheck", "kohl")
 
pam_start_om("pamcheck", "kohl")
Line 89: Line 330:
 
</pre>
 
</pre>
  
 +
 +
<pre>
 +
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
 +
pam_start_om("pamcheck", "kohl")
 +
pam_authenticate()
 +
Password:
 +
pam_acct_mgmt()
 +
 +
Authenticated
 +
</pre>
 +
 +
So this looked like a perfect authentication!
  
 
== Common issues with SSL ==
 
== Common issues with SSL ==
Line 102: Line 355:
  
 
<pre>
 
<pre>
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389)
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389)
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text=
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)"
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)"
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text=
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text=
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed
+
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed
 
</pre>
 
</pre>
== Headline text ==
+
 
 +
Congratulations, you have successfully installed OpenLDAP password support.

Latest revision as of 06:04, 4 August 2008

Scalix Wiki -> How-Tos -> OpenLDAP

Installing OpenLDAP

The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.

The references to scalix.com in this how-to should be replaced with your domain information!

Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.

First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:

Open /etc/openldap/slapd.conf and make sure


include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema

are included.

Next, change the suffix for your local install:

suffix          "dc=scalix,dc=com"
rootdn          "cn=Manager,dc=scalix,dc=com"
rootpw  {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

To allow each user to change his own password from Microsoft Outlook or SWA interface, also add:

access to attrs=userPassword
        by anonymous auth
        by self write
        by * none
access to *
        by self write
        by * none

How do you generate the SHA password? Easy, use the slappasswd command:

/usr/sbin/slappasswd

or this perl script:

#!/usr/bin/perl
use Digest::SHA1;
use MIME::Base64;
if ($ARGV[0] eq "") {
printf STDERR "usage: ssha.pl PASSWORD\n";
exit 1;
}
$pass = Digest::SHA1->new;
$pass->add($ARGV[0]);
$pass->add('salt');
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";

OK, so once this basic configuration is done, we can start the OpenLDAP server using

rcldap start

or

service ldap start

If the slapd.conf file was edited correctly, OpenLDAP should now be running. To verify the domain was entered correctly, execute the following command:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

That should output the following:

#
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=scalix,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

where the namingContexts should contain your domain.

Next, create a file called load.ldif file for importing. The references to scalix.com should be replaced with your domain information. In addition, you’ll need to change the user information for Helmut Kohl to be valid information for one of your users.

Try this ldif file:

dn: dc=scalix,dc=com
dc: scalix
objectClass: top
objectClass: domain

dn: ou=People,dc=scalix,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: uid=hkohl, ou=people, dc=scalix, dc=com
objectclass: top
objectclass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: hkohl
userPassword: {SSHA}yI6cZwQadOA1e+/f+T+H3eCQQhRzYWx0
cn: Helmut Kohl
sn: Kohl
gn: Helmut

Now, import the initial .ldif file using the ldapadd command:

ldapadd -x -D "cn=Manager,dc=scalix,dc=com" -W -f load.ldif

Next, perform an ldapsearch, to verify that the user was imported.

ldapsearch -xh pdxsrv.scalix.com -b dc=scalix,dc=com

The output should yield the ldap entry loaded above. You now have one user loaded in OpenLDAP with whatever password you chose. If the user is not already in Scalix, you should add it now. The Scalix Authentication ID needs to match the LDAP uid field. To add the user to Scalix, use the omaddu command as follows:

omaddu -n "Helmut Kohl/mailnode" -p password hkohl

If the user already exists in Scalix, you can verify the Authentication ID using the omshowu command:

omshowu –n “Helmut Kohl/mailnode”

the output will look something like:

pdxsrv01:/var/opt/scalix/sys/pam.d # omshowu "Helmut Kohl"
Authentication ID: hkohl
User Name : Helmut Kohl /CN=Helmut Kohl
MailNode : pdxsrv01
Internet Address : "Helmut Kohl" <Helmut.Kohl@scalix.com>
System Login : 60535
Password : set
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : C
Virtual Vault : Enabled (default)
Mail Account: Unlocked
Last Signon : 02.10.06 11:13:50
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
User Class : Limited
pdxsrv01:/var/opt/scalix/sys/pam.d #

If the Authentication ID is not the same as the uid, you will need to use the ommodu command to change it:

ommodu –o “Helmut Kohl/mailnode” –authid hkohl

Configuring PAM

On your Scalix server you will need to edit /etc/ldap.conf to configure pam_ldap. Edit the file and change the following entries:

# Your LDAP server. Must be resolvable without using LDAP.
host pdxsrv.scalix.com

# The distinguished name of the search base.
base dc=scalix,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Manager,dc=scalix,dc=com

# The credentials to bind with.
# Optional: default is no credential.
bindpw password

Pretty important is that if you do not have SSL configured for your LDAP server, you must disable it in ldap.conf:

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

Configuring Scalix

Here are the Scalix files that you will need to change for a typical SWA / Outlook setup. Create any that do not exist.

/var/opt/scalix/sys/om_ldap.conf
/var/opt/scalix/sys/pam.d/ual.remote
/var/opt/scalix/sys/pam.d/pamcheck
/var/opt/scalix/sys/pam.d/smtpd.auth
/var/opt/scalix/sys/pam.d/pop3
/var/opt/scalix/sys/pam.d/omslapdeng

Typically, all files should have the same contents with the exception of om_ldap.conf and pamcheck

auth    required om_om2authid
auth    sufficient /lib/security/pam_ldap.so ignore_unknown_user
auth    sufficient om_auth use_first_pass
auth required pam_deny
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_auth preauth
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

/var/opt/scalix/sys/om_ldap.conf contains the OpenLDAP configuration data, e.g.:

host=pdxsrv.scalix.com
search=subtree
base=ou=people,dc=scalix,dc=com
filter=uid=%s
tls=off

The "tls=off" is pretty important, we'll get to that later.

sxpamauth

Next, cd to /var/opt/scalix/sys/pam.d and edit pamcheck:

auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth    required om_om2authid
auth    required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

This configuration will allow you to use both Scalix password authentication and LDAP password authentication.Additionally, it will give you error logging that is helpful when trying to find configuration mistakes.

NOTE: Not fully tested solution
If you want to use only openldap authentications for pop3 access just remove these lines

auth    sufficient om_auth use_first_pass
account sufficient om_auth

from pop3, and line

auth    sufficient om_auth use_first_pass

from file ual.remote

Ensure that the file /lib/security/pam_ldap.so exists. If it doesn't, you forgot to install the pam_ldap package and/or nssldap package as mentioned at the top.

OK, once you have edited all configuration files, restart the server using

omshut
omrc

After the server has come back up, try using a client to connect to the server or use sxpamauth to check authentication:


pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth.

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated
pdxsrv01:/var/opt/scalix/sys/pam.d #

For MAPI and IMAP users, copy pamcheck over ual.remote and make sure both files contain the same configuration as above.

sxpampasswd

The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.:

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl

Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #


pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated

So this looked like a perfect authentication!

Common issues with SSL

If your LDAP server is not SSL enabled, you will see entries similar to this one in the log:

Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389)
Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed

No LDAP communication is happening here. A "good" log looks like this:

Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389)
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)"
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text=
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed

Congratulations, you have successfully installed OpenLDAP password support.