The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

Try adding 

    regexp      @

...to your ldap definition in the auth.conf.  The code shows you get an 
'invalid password' if it is unable to bind as the discovered user DN using 
the supplied password. It can also fail if a supplied regexp doesnt match the 
user identifier, though no regexp should mean it isnt checked.

If this doesn't fix it, set your sympa to detailed logging (level 3), and 
check the logs during login.  Don't leave it at this level since it will keep 
passwords in the log ...  however it also tells you more details as to why it 
failed.

Steve


Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
address@concealed
Ph: +64 9 373 7599 ext 86487


________________________________________
From: Alex Hanselka [address@concealed]
Sent: Sunday, 4 May 2014 6:03 p.m.
To: Steve Shipway; Sympa Users
Subject: Re: [sympa-users] LDAP Logins

On 5/3/14, 4:04 PM, Steve Shipway wrote:
>> Certainly! Everything looks good here, so far. It looks like it is
>> getting the correct info when I use ldapsearch and this bind_dn. It is
>> just trying to be difficult I'm sure ;).  It is frustrating because the
>> ldap logs seem to indicate that it is getting the info it needs.
> The entry you give looks OK.  However, I know it would not work on our LDAP 
> server.  That is because our LDAP server has additional security that 
> prevents access to certain attributes if you are bound anonymously, or if 
> you are on a non-SSL connection.
>
> Is it possible that your LDAP system denies visibility of the mail 
> attribute because of either the bind identity or because you are not using 
> SSL?  Also, are you certain that your LDAP entries have the email address 
> in a 'mail' attribute, and that this one in particular has that attribute?  
> Maybe use an 'ldapsearch' command to retrieve the record from the sympa 
> host command line and verify it all works as expected.
>
Thanks so much for all your help so far! It is super appreciated.

An ldapsearch from the cli as that user does return the expected results
and has the mail attribute correctly. Just to be sure, I checked to make
sure there weren't two entries with the same email just in case and
there was not. I know the ldap server does what I want because I have
direct root access to it. The slapd.log seems to indicate everything as
successful too.

What attributes does Sympa need access to? It can see everything from an
ldapsearch but I am wondering if it is expecting something that I may
not have for whatever reason. Is there something else it might need?

Alex Hanselka