Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
Lee Hoffman
lee_hoffman at brown.edu
Fri Sep 20 20:14:29 EDT 2002
Igor,
Here's my slapd.conf.
SLAPD.conf:
------------------------------------------------------------------------
---
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /export/openldap/etc/schema/core.schema
include /export/openldap/etc/schema/misc.schema
include /export/openldap/etc/schema/cosine.schema
include /export/openldap/etc/schema/inetorgperson.schema
include /export/openldap/etc/schema/horde.schema
include /export/openldap/etc/schema/domain.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Define global ACLs to disable default read access.
defaultaccess none
access to * by self read
by dn="cn=softwareAdmin,ou=software,dc=domain,dc=com" write
by dn="cn=postfixAdmin,ou=software,dc=domain,dc=com" read
by dn="cn=listAdmin,ou=software,dc=domain,dc=com" read
by * auth
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=location,dc=com"
rootdn "cn=Manager,ou=software,dc=location,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}jklasdjklajasd83qkl9002002sadsasda
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /export/openldap/var/openldap-ldbm
# Indices to maintain
index default pres,eq
index objectClass,uid,cn,trbcPublicEmailAddress,trbcDomainName
loglevel 0
# TLS / SSL
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /export/openldap/etc/ldapcert.pem
TLSCertificateKeyFile /export/openldap/etc/ldapkey.pem
TLSCACertificateFile /export/openldap/etc/demoCA/cacert.pem
replogfile /export/openldap/replog
# Replication
replica host=ldap2.domain.com:389
binddn="cn=Replicator,ou=software,dc=location,dc=com"
bindmethod=simple credentials=password
> I'd like to email you a patch for saslauthd, but I am not at a place
where
I can do this until Monday.
That would be great. I really appreciate you taking the time to help.
Sincerely,
Lee
-----Original Message-----
From: Igor Brezac [mailto:igor at ipass.net]
Sent: Friday, September 20, 2002 7:59 PM
To: Lee Hoffman
Cc: info-cyrus at lists.andrew.cmu.edu
Subject: RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
On Fri, 20 Sep 2002, Lee Hoffman wrote:
> Hey Igor,
> Running ldapsearch when the server is printing the AUTHFAILS returns
> what you would expect, the single user account entry for the user.
Based
> on the fact that restarting the ldap server seems to help, one would
> think that its an ldap server problem. But I just done see how that
can
> be since Ive run 3 different versions of openldap, on two different
> servers, and the ldap server load never goes above 0.10.
>
> Any other ideas?
>
saslauthd can be at fault here, but I am not convinced yet. What does
your slapd.conf look like?
I'd like to email you a patch for saslauthd, but I am not at a place
where
I can do this until Monday.
I run a similar setup without any problems except I use a different OS.
-Igor
> Thanks,
> Lee
>
> -----Original Message-----
> From: Igor Brezac [mailto:igor at ipass.net]
> Sent: Friday, September 20, 2002 6:39 PM
> To: Lee Hoffman
> Cc: info-cyrus at lists.andrew.cmu.edu
> Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
>
>
> On Fri, 20 Sep 2002, Lee Hoffman wrote:
>
> > I've been pulling my hair out with this for nearly 4 days now. I
have
> > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:
> >
> > SASL:
> > ./configure --enable-plain --disable-krb4
> > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
> >
> > IMAP:
> > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
> > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
> >
> > Basically I CYRUS->SASLAUTHD->LDAP
> >
> > For some reason users intermittently will be prompted for their
> password
> > over and over. The sasl debug log show the following lines when that
> > happens:
> >
> > Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more
> than
> > one entries found (uid=superman).
> > Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
> > service=imap realm=
> >
> > (ldap logs show nothing)
> >
> > The user always exists in the ldap directory. In fact 75% of the
time
> > they can login and use mail without problems. It seems like when I
> > restart the ldap directory the AUTHFAILS stop happening for a while.
I
> > have the ldap directory restarting ldap every 5 minutes now, which
> seems
> > to be keeping the AUTHFAILS to a minimum (but they are still
> happening).
> >
> >
> > I immediately figured it was an LDAP problem. However, I've now
tried
> > openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried
> each
> > of these three versions on two different servers (one with redhat,
one
> > with debian). Both servers were completely different hardware. I
also
> > tried different versions of the ldap client library (and of course
> > recompiled cyrus and sasl after trying each) on the cyrus server.
> > Nothing stops these intermittent AUTHFAILS.
> >
> > Does anyone have any idea whats going on? I'm desperate. Any ideas
> would
> > be appreciated.
> >
>
>
> Are there any other saslauthd lines in the syslog? What happens when
> you run
> ldapsearch -x -b ou=users,dc=location,dc=com -D
> cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman
> on the command line after you start getting AUTHFAIL messages?
> How many entries, if any, are returned?
>
> Your configuration looks good.
>
> >
> >
> > SASLAUTHD.CONF:
> >
> > ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
> > ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
> > ldap_bind_pw: password
> > ldap_auth_method: bind
> > ldap_search_base: ou=users,dc=location,dc=com
> > ldap_debug: 5000
> > ldap_timeout: 15 # tried multiple values here too
> > ldap_time_limit: 15 # tried multiple values here too
> >
> >
> > IMAPD.CONF
> >
> > configdirectory: /export/cyrus/imap
> > partition-default: /export/cyrus/spool/imap
> > admins: admin
> > #sasl_pwcheck_method: pam
> >
> > tls_cert_file: /export/cyrus/server.pem
> > tls_key_file: /export/cyrus/server.pem
> >
> > allowanonymouslogin: no
> > allowplaintext: yes
> > sasl_mech_list: PLAIN
> > servername: localhost
> > autocreatequota: 10000
> > reject8bit: no
> > quotawarn: 90
> > timeout: 30
> > poptimeout: 10
> > dracinterval: 0
> > drachost: localhost
> > sasl_pwcheck_method: saslauthd
> > #sievedir: /usr/sieve
> > #sendmail: /usr/sbin/sendmail
> > #sieve_maxscriptsize: 32
> > #sieve_maxscripts: 5
> >
> > # Get rid of folders as subfolders of INBOX
> > altnamespace: yes
> > unixhierarchysep: yes
> >
> >
> >
>
>
--
Igor
More information about the Info-cyrus
mailing list