problems with cyrus sasl ldap pam authentication

nikolay.nenchev at rbb.bg nikolay.nenchev at rbb.bg
Mon Sep 19 09:09:29 EDT 2005 

Hi list,
I have problems with authenticating user from openldap direcory through
saslauthd that is using pam authentication.
My configuration is:
Debian 3.1 Sarge kernel 2.4.27-2-386
Postfix 2.1.5-9, postfix-ldap 2.1.5-9
Cyrus-common, cyrus-imapd, cyrus-admin, cyrus-client 2.1.18-1
Sasl2-bin, libsasl2, libsasl2-module 2.1.19-1.5

#my /etc/imapd.conf:

#configdirectory: /var/lib/cyrus
#defaultpartition: default
#partition-default: /var/spool/cyrus/mail
#admins: cyrus
#allowanonymouslogin: no
#umask: 077
#allowplaintext: yes
#sasl_mech_list: PLAIN LOGN
#sasl_minimum_layer: 0
#sasl_pwcheck_method: saslauthd

standard /etc/cyrus.conf

#/etc/pam.d/imap
#@include	common-auth
#@include	common-account

#/etc/pam.d/common-account
#account		sufficient	pam_ldap.so
#account		required	pam_unix.so

#/etc/pam.d/common-auth
#auth		sufficient	pam_ldap.so
#auth		required	pam_unix.so nullok_secure

#/etc/default/saslauthd

#START=yes
#MECHANISMS="pam"

#/etc/default/slapd
#SLAPD_SERVICES="ldap://localhost/"

#/etc/ldap/slapd.conf
#allow bind_v2
#include		/etc/ldap/schema/core.schema
#include		/etc/ldap/schema/cosine.schema
#include		/etc/ldap/schema/nis.schema
#include		/etc/ldap/schema/inetorgperson.schema
#schemacheck on
#pidfile		/var/run/slapd/slapd/pid
#argsfile		/var/run/slapd.args
#loglevel	0
#modulepath	/usr/lib/ldap
#moduleload	back_bdb
#backend	bdb
#checkpoint	512 30
#database	bdb
#suffix		"dc=rbb,dc=bg"
#directory	"/var/lib/ldap"
#rootdn		"cn=admin,dc=rbb,dc=bg"
#rootpw		test
#index		objectClass eq
#lastmod	on
#access to attrs=userPassword
#	by dn="cn=admin,dc=rbb,dc=bg" write
#	by self write
#	by * none
#access to dn.base="" by * read
#access to *
#	by dn="cn=admin,dc=rbb,dc=bg" write
#	by * read

#/etc/ldap/ldap.conf
#BASE			dc=rbb,dc=bg
#URI			ldap://localhost/
#TLS_REQCERT	allow

I have create user account (posixAccount) in ldap through phpldapadmin. My
ldif file is:
#dn: dc=rbb,dc=bg
#objectclass: top
#objectclass: organization
#o: RBB

After I execute a command:
#cyradm --user cyrus localhost
IMAP Password:

		Login failed: authentication failure at
/usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118
cyradm: cannot authenticate to server as user cyrus

#error in /var/log/syslog is:
Sep 19 11:42:46 localhost cyrus/imap[7981]: executed
Sep 19 11:42:46 localhost cyrus/imapd[7981]: accepted connection
Sep 19 11:42:51 localhost cyrus/imapd[7981]: badlogin:
localhost.localdomain[127.0.0.1] plaintext cyrus SASL(-13): authentication
failure: checkpass failed

I have created cyrus user with saslpasswd2 and with command:
testdsaslauthd -u cyrus -p test reply is 0: OK "Success." But as I gone
through documentation this testsaslauthd is check local sasldb.
Also I have notice that directory /var/run/saslauthd rights are 710 and
user:group is root:sasl. Socket mux (srwxrwxrwx), but mux.accept and
saslauthd.pid (-rw- --- ---) user:group root:root
And if I change roghts to be accessed by everyone (for test purpose it the
error is the same). And when restarting saslauthd it changes back
permissions to 710 for /var/run/saslauthd.

cyrus user is added to sasl group.

#ps aux

#root      7935  0.0  0.8  7164 2256 ?        Ss   11:42   0:00
/usr/sbin/saslauthd -a pam
#root      7936  0.0  0.8  7164 2256 ?        S    11:42   0:00
/usr/sbin/saslauthd -a pam
#root      7937  0.0  0.8  7164 2256 ?        S    11:42   0:00
/usr/sbin/saslauthd -a pam
#root      7938  0.0  0.6  6808 1588 ?        S    11:42   0:00
/usr/sbin/saslauthd -a pam
#root      7939  0.0  0.6  6808 1588 ?        S    11:42   0:00
/usr/sbin/saslauthd -a pam
#cyrus     7963  0.0  0.8  5112 2116 ?        Ss   11:42   0:00
/usr/sbin/cyrmaster -d
#cyrus     7969  0.0  0.4  3912 1052 ?        S    11:42   0:00 notifyd
#root      7977  0.0  1.4 15812 3736 ?        Ss   11:42   0:00
/usr/sbin/slapd -h ldap://localhost/ -f /etc/ldap/slapd.conf
#root      7978  0.0  1.4 15812 3736 ?        S    11:42   0:00
/usr/sbin/slapd -h ldap://localhost/ -f /etc/ldap/slapd.conf
#root      7979  0.0  1.4 15812 3736 ?        S    11:42   0:00
/usr/sbin/slapd -h ldap://localhost/ -f /etc/ldap/slapd.conf
#root      7986  0.0  1.4 15812 3736 ?        S    11:42   0:00
/usr/sbin/slapd -h ldap://localhost/ -f /etc/ldap/slapd.conf
#root      7987  0.0  1.4 15812 3736 ?        S    11:42   0:00
/usr/sbin/slapd -h ldap://localhost/ -f /etc/ldap/slapd.conf

Sorry for long post but I have experienced this problem from sometimes.
Just for the record I have success in authenticating user through local
unix accounts and saslpasswd2.

Regards,
Nikolay Nenchev

More information about the Cyrus-sasl mailing list