EDG System Administration

Something very strange is happening with ldap accounts. When I try to send mail, using our smtp with tls server, sometimes the password is accepted and other times it is not. I’m going to have to do a bit of searching to find out why this doesn’t always work.

The first time I tried this, I ran authconfig on the machine running the ldap server and set it to use ldap, use ldap authentication and use tls. With these settings, I was not able to send mail through our smtp+tls server. I would just be repeatedly prompted for the password.

Later, after I used authconfig, to turn off the ldap stuff. I was able to send email using one of my ldap accounts. The only other thing I remember changing was /etc/nsswitch.conf. Where I added ldap to the passwd, shadow and group lines.

I obviously still don’t completely understand how ldap works.

With all users in the ldap database, you must tell sendmail to use this database to find users for receiving mail. To do this, add the following lines to /etc/mail/sendmail.mc, generate a new cf file (make sendmail.cf) and restart sendmail.

dnl ### Ldap
define(`confLDAP_DEFAULT_SPEC’,`-h servername.uchicago.edu -b dc=servername,dc=uchicago,dc=edu’)dnl
LDAPROUTE_DOMAIN(‘servername.uchicago.edu’)dnl
FEATURE(`ldap_routing’)dnl

Imaps runs as an xinetd service. To set it up:

0. Download and compile the UW imap program. Redhat provides Cyrus Imap, but I’m more familiar with the UW package, so use that instead.

Since RHEL has openssl libraries in a non-standard place, must edit the file imap-xx/src/osdep/unix/Makefile.

SSLDIR=/usr/share/ssl
SSLCERTS=$(SSLDIR)/certs
SSLKEYS=$(SSLCERTS)
SSLINCLUDE=/usr/include/openssl
SSLLIB=/usr/lib

make slx

Copy the file imapd to /usr/sbin. It has now been compiled and installed.

1. Make sure the stunnel rpm is installed.
2. Edit /etc/stunnel/imaps.conf with the following:

cert = /usr/share/ssl/certs/imapd.pem make sure it’s been created
exec = /usr/sbin/imapd
execargs = imapd

Note that stunnel is no longer required with UW-imap. It can handle SSL by itself.

3. Edit /etc/xinetd.d/imaps

# default: off
# description: The SIMAP service allows remote users to access their mail
# using an IMAP client with SSL support.
#
# only_from = 0.0.0.0 matches ALL internet addresses
# the default (/etc/xinetd.conf) is 128.135.102.0
#
service imaps
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/imaps.conf
server = /usr/sbin/imapd
only_from = 0.0.0.0
log_on_success += HOST DURATION
log_on_failure += HOST
}

4. Restart xinetd service

5. If have problems, disable selinux in /etc/selinux/config. Will have to reboot machine after this.