Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

Lee Hoffman lee_hoffman at brown.edu
Tue Sep 24 22:46:19 EDT 2002 

Igor,
Thanks for all your help. As it turns out, my friend was able to solve
the problem. I don't have the patch in front of me, but my friend did a
little digging in the saslauthd code and found a bug in its LDAP caching
mechanism. Since his change the problem has not reoccurred. My friend
has assured me he will send the patch/bug to the list as soon as he
cleans up his changes.

Sincerely,
Lee 

-----Original Message-----
From: Igor Brezac [mailto:igor at ipass.net] 
Sent: Monday, September 23, 2002 11:57 AM
To: Lee Hoffman
Subject: RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL


Lee,

Can you apply the attached patch and recompile saslauthd?

cd $cyrus-sasl-src/saslauthd
patch -p0 < /tmp/saslauthd.patch
make

restart saslauthd and email me syslog entries after auth begins to fail.
I added a few extra debug codes which should help me see what is going
on.

Thanks,
-Igor

On Fri, 20 Sep 2002, Lee Hoffman wrote:

> Hey Igor,
> Running ldapsearch when the server is printing the AUTHFAILS returns
> what you would expect, the single user account entry for the user.
Based
> on the fact that restarting the ldap server seems to help, one would
> think that its an ldap server problem. But I just done see how that
can
> be since Ive run 3 different versions of openldap, on two different
> servers, and the ldap server load never goes above 0.10.
>
> Any other ideas?
>
> Thanks,
> Lee
>
> -----Original Message-----
> From: Igor Brezac [mailto:igor at ipass.net]
> Sent: Friday, September 20, 2002 6:39 PM
> To: Lee Hoffman
> Cc: info-cyrus at lists.andrew.cmu.edu
> Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
>
>
> On Fri, 20 Sep 2002, Lee Hoffman wrote:
>
> > I've been pulling my hair out with this for nearly 4 days now. I
have
> > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:
> >
> > SASL:
> > ./configure --enable-plain --disable-krb4
> > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
> >
> > IMAP:
> > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
> > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
> >
> > Basically I CYRUS->SASLAUTHD->LDAP
> >
> > For some reason users intermittently will be prompted for their
> password
> > over and over. The sasl debug log show the following lines when that
> > happens:
> >
> > Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more
> than
> > one entries found (uid=superman).
> > Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
> > service=imap realm=
> >
> > (ldap logs show nothing)
> >
> > The user always exists in the ldap directory. In fact 75% of the
time
> > they can login and use mail without problems. It seems like when I
> > restart the ldap directory the AUTHFAILS stop happening for a while.
I
> > have the ldap directory restarting ldap every 5 minutes now, which
> seems
> > to be keeping the AUTHFAILS to a minimum (but they are still
> happening).
> >
> >
> > I immediately figured it was an LDAP problem. However, I've now
tried
> > openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried
> each
> > of these three versions on two different servers (one with redhat,
one
> > with debian). Both servers were completely different hardware. I
also
> > tried different versions of the ldap client library (and of course
> > recompiled cyrus and sasl after trying each) on the cyrus server.
> > Nothing stops these intermittent AUTHFAILS.
> >
> > Does anyone have any idea whats going on? I'm desperate. Any ideas
> would
> > be appreciated.
> >
>
>
> Are there any other saslauthd lines in the syslog?  What happens when
> you run
> ldapsearch -x -b ou=users,dc=location,dc=com -D
> cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman
> on the command line after you start getting AUTHFAIL messages?
> How many entries, if any, are returned?
>
> Your configuration looks good.
>
> >
> >
> > SASLAUTHD.CONF:
> >
> > ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
> > ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
> > ldap_bind_pw: password
> > ldap_auth_method: bind
> > ldap_search_base: ou=users,dc=location,dc=com
> > ldap_debug: 5000
> > ldap_timeout: 15 # tried multiple values here too
> > ldap_time_limit: 15 # tried multiple values here too
> >
> >
> > IMAPD.CONF
> >
> > configdirectory: /export/cyrus/imap
> > partition-default: /export/cyrus/spool/imap
> > admins: admin
> > #sasl_pwcheck_method: pam
> >
> > tls_cert_file: /export/cyrus/server.pem
> > tls_key_file: /export/cyrus/server.pem
> >
> > allowanonymouslogin: no
> > allowplaintext: yes
> > sasl_mech_list: PLAIN
> > servername: localhost
> > autocreatequota: 10000
> > reject8bit: no
> > quotawarn: 90
> > timeout: 30
> > poptimeout: 10
> > dracinterval: 0
> > drachost: localhost
> > sasl_pwcheck_method: saslauthd
> > #sievedir: /usr/sieve
> > #sendmail: /usr/sbin/sendmail
> > #sieve_maxscriptsize: 32
> > #sieve_maxscripts: 5
> >
> > # Get rid of folders as subfolders of INBOX
> > altnamespace: yes
> > unixhierarchysep: yes
> >
> >
> >
>
>

-- 
Igor

More information about the Info-cyrus mailing list