Re: disallow bind_anon creates problem in cyrus

• Previous message: JOYDEEP: "Re: how to force cyrus to honor domain name with user name ?"
• Maybe in reply to: JOYDEEP: "disallow bind_anon creates problem in cyrus"
• Next in thread: Michael Menge: "Re: disallow bind_anon creates problem in cyrus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

hmm, let me guess - you are running saslauthd with -a PAM?!

try running it /usr/sbin/saslauthd -a ldap
no need (with a more or less up-to-date version of saslauthd) to do it
via PAM - use LDAP directly. Less layers less potential problems.

What log entry and result do you get by executing:
    ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D
cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab

Best regards
Roland

JOYDEEP wrote:
> Roland Felnhofer wrote:
>
>> Hi,
>>
>> that should give you a hint:
>>
>>
>> saslauthd.conf
>>
>> ldap_servers: ldap://127.0.0.1
>> ldap_search_base: ou=people,dc=example,dc=com
>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
>> ldap_password: password
>> ldap_scope: one
>> ldap_uidattr: uid
>> ldap_filter_mode: yes
>> ldap_filter: uid=%u
>>
>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>> ldap_password) should be sufficient.
>>
>>
> Dear Roland, thanks for your response.
> I already have the following entries in my saslauthd.conf
> ---------------------------------------------------------------------
> ldap_servers: ldap://localhost:389
> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
> ldap_bind_pw: secret
> ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in
> ldap_version: 3
> ldap_filter: uid=%U
> ldap_default_domain: kolkatainfoservices.in
> --------------------------------------------------------------------------
>
> But having problem with *disallow bind_anon*. I have also checked the
> settings u hv suggested
> like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but
> no success yet.
>
> executing cyradm with valid user (in LDAP) and password reports
> ----------------------------------------------------
> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
> IP=127.0.0.1:34512 (IP=0.0.0.0:389)
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 text=
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
> filter="(uid=aftab)"
> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
> index_param failed (18)
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
> credentials)
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 text=
> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
> Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth failure:
> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
> Mar 20 14:52:06 linux imap[20519]: badlogin:
> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
> authentication failure: checkpass failed
> ------------------------------------------------------------------------------
>
> could u kindly help me to fix the problem as my system has a security
> risk untill I stop the anynomous user login.
> thanks
>
>
>> Best regards
>> Roland
>>
>>
>> JOYDEEP wrote:
>>
>>> Dear list,
>>>
>>> to secure my ldap server I have added the line "disallow bind_anon" in
>>> slapd.conf.
>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>> anonymous bind.
>>> But I have now problem to use cyrus as it also based on LDAP
>>> authentication.
>>> I can't log in in cyrus with Correct userid and passwd but if I disable
>>> the "disallow bind_anon" I can again use cyrus.
>>>
>>> Could any one kindly sugeest me to fix it ?
>>>
>>> here is my /etc/imapd.conf
>>>
>>> ==============================================================
>>> configdirectory: /var/lib/imap
>>> partition-default: /var/spool/imap
>>> sievedir: /var/lib/sieve
>>> admins: cyrus
>>> allowplaintext: yes
>>> sasl_mech_list: LOGIN PLAIN
>>> allowanonymouslogin: no
>>> autocreatequota: 10000
>>> reject8bit: no
>>> quotawarn: 90
>>> timeout: 30
>>> poptimeout: 10
>>> dracinterval: 0
>>> drachost: localhost
>>> sasl_pwcheck_method: saslauthd
>>> servername:linux.kolkatainfoservices.in
>>> lmtp_overquota_perm_failure: no
>>> lmtp_downcase_rcpt: yes
>>> unixhierarchysep: yes
>>> loginrealms: kolkatainfoservices.in
>>> hashimapspool: true
>>> lmtpsocket: /var/lib/imap/socket/lmtp
>>> ==============================
>>>
>>>
>>>
>>>
>>>
>>>
>>> ----
>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>
>>>
>
>

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

• application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

• Previous message: JOYDEEP: "Re: how to force cyrus to honor domain name with user name ?"
• Maybe in reply to: JOYDEEP: "disallow bind_anon creates problem in cyrus"
• Next in thread: Michael Menge: "Re: disallow bind_anon creates problem in cyrus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]