- Previous message: Jorey Bump: "Re: POP3 working, IMAP is not"
- Maybe in reply to: JOYDEEP: "disallow bind_anon creates problem in cyrus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Roland Felnhofer (no email)
Date: Thu Mar 22 2007 - 18:18:59 EDT
Hi,
FIRST: Please buy a Linux book and read it!!
http://www.oreilly.com/catalog/runlinux5/ inx.html
<http://www.oreilly.com/catalog/runlinux5/inx.html>
http://www.oreilly.com/catalog/linuxss2/ inx.html
<http://www.oreilly.com/catalog/linuxss2/inx.html>
http://www.oreilly.com/catalog/linuxckbk/ inx.html
<http://www.oreilly.com/catalog/linuxckbk/inx.html>
http://www.oreilly.com/catalog/esapr/ inx.html
<http://www.oreilly.com/catalog/esapr/inx.html>
http://www.oreilly.com/catalog/linag3/ inx.html
<http://www.oreilly.com/catalog/linag3/inx.html>
> But my saslauthd is configured to support both pam and
> ldap
Hint: Actually saslauthd does not "support" PAM and LDAP as a "provider"
it's a "user" of these services as its authentication source. Where PAM
again uses other sources as its authentication source (passwd, shadow,
LDAP,...)
To find out what I meant with that and how it affects you, consult the
books I recommended to buy.
Best regards
Roland
JOYDEEP wrote:
> Roland Felnhofer wrote:
>
>> Hi,
>>
>> hmm, let me guess - you are running saslauthd with -a PAM?!
>>
>> try running it /usr/sbin/saslauthd -a ldap
>> no need (with a more or less up-to-date version of saslauthd) to do it
>> via PAM - use LDAP directly. Less layers less potential problems.
>>
>> What log entry and result do you get by executing:
>> ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D
>> cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab
>>
> Dear friend Roland,
> Thanks a lot for pointing out the problem. with *disallow bind_anon* I
> can successfully log in by executing */usr/sbin/saslauthd -a ldap*
> Thanks a lot. But my saslauthd is configured to support both pam and
> ldap. it is required to access cyrus admin as it is based on pam.
> u can check my /etc/pam.d/imap
> -----------------------------------------
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix.so try_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix.so
> ------------------------------------------------------------
>
> So based on this configuration both pam and ldap authentication is
> working except the *disallow bind_anon* in cyrus.
> but *disallow bind_anon* is working well with my present config with
> ldapsearch. So I have to fix this cyrus issue here.
> could u suggest any alternative please ?
> thanks and have a great day.
>
>> Best regards
>> Roland
>>
>> JOYDEEP wrote:
>>
>>> Roland Felnhofer wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> that should give you a hint:
>>>>
>>>>
>>>> saslauthd.conf
>>>>
>>>> ldap_servers: ldap://127.0.0.1
>>>> ldap_search_base: ou=people,dc=example,dc=com
>>>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
>>>> ldap_password: password
>>>> ldap_scope: one
>>>> ldap_uidattr: uid
>>>> ldap_filter_mode: yes
>>>> ldap_filter: uid=%u
>>>>
>>>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>>>> ldap_password) should be sufficient.
>>>>
>>>>
>>>>
>>> Dear Roland, thanks for your response.
>>> I already have the following entries in my saslauthd.conf
>>> ---------------------------------------------------------------------
>>> ldap_servers: ldap://localhost:389
>>> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
>>> ldap_bind_pw: secret
>>> ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in
>>> ldap_version: 3
>>> ldap_filter: uid=%U
>>> ldap_default_domain: kolkatainfoservices.in
>>> --------------------------------------------------------------------------
>>>
>>>
>>> But having problem with *disallow bind_anon*. I have also checked the
>>> settings u hv suggested
>>> like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but
>>> no success yet.
>>>
>>> executing cyradm with valid user (in LDAP) and password reports
>>> ----------------------------------------------------
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
>>> IP=127.0.0.1:34512 (IP=0.0.0.0:389)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0
>>> text=
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
>>> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
>>> filter="(uid=aftab)"
>>> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
>>> index_param failed (18)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
>>> err=0 nentries=1 text=
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
>>> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
>>> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
>>> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
>>> credentials)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49
>>> text=
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
>>> Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth failure:
>>> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>>> Mar 20 14:52:06 linux imap[20519]: badlogin:
>>> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
>>> authentication failure: checkpass failed
>>> ------------------------------------------------------------------------------
>>>
>>>
>>> could u kindly help me to fix the problem as my system has a security
>>> risk untill I stop the anynomous user login.
>>> thanks
>>>
>>>
>>>
>>>> Best regards
>>>> Roland
>>>>
>>>>
>>>> JOYDEEP wrote:
>>>>
>>>>
>>>>> Dear list,
>>>>>
>>>>> to secure my ldap server I have added the line "disallow bind_anon" in
>>>>> slapd.conf.
>>>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>>>> anonymous bind.
>>>>> But I have now problem to use cyrus as it also based on LDAP
>>>>> authentication.
>>>>> I can't log in in cyrus with Correct userid and passwd but if I
>>>>> disable
>>>>> the "disallow bind_anon" I can again use cyrus.
>>>>>
>>>>> Could any one kindly sugeest me to fix it ?
>>>>>
>>>>> here is my /etc/imapd.conf
>>>>>
>>>>> ==============================================================
>>>>> configdirectory: /var/lib/imap
>>>>> partition-default: /var/spool/imap
>>>>> sievedir: /var/lib/sieve
>>>>> admins: cyrus
>>>>> allowplaintext: yes
>>>>> sasl_mech_list: LOGIN PLAIN
>>>>> allowanonymouslogin: no
>>>>> autocreatequota: 10000
>>>>> reject8bit: no
>>>>> quotawarn: 90
>>>>> timeout: 30
>>>>> poptimeout: 10
>>>>> dracinterval: 0
>>>>> drachost: localhost
>>>>> sasl_pwcheck_method: saslauthd
>>>>> servername:linux.kolkatainfoservices.in
>>>>> lmtp_overquota_perm_failure: no
>>>>> lmtp_downcase_rcpt: yes
>>>>> unixhierarchysep: yes
>>>>> loginrealms: kolkatainfoservices.in
>>>>> hashimapspool: true
>>>>> lmtpsocket: /var/lib/imap/socket/lmtp
>>>>> ==============================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ----
>>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>
>>>>>
>>>
>>>
>
>
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|