Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

Lee Hoffman lee_hoffman at brown.edu
Fri Sep 20 19:34:54 EDT 2002


Hey Igor,
Running ldapsearch when the server is printing the AUTHFAILS returns
what you would expect, the single user account entry for the user. Based
on the fact that restarting the ldap server seems to help, one would
think that its an ldap server problem. But I just done see how that can
be since Ive run 3 different versions of openldap, on two different
servers, and the ldap server load never goes above 0.10. 

Any other ideas?

Thanks,
Lee 

-----Original Message-----
From: Igor Brezac [mailto:igor at ipass.net] 
Sent: Friday, September 20, 2002 6:39 PM
To: Lee Hoffman
Cc: info-cyrus at lists.andrew.cmu.edu
Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL


On Fri, 20 Sep 2002, Lee Hoffman wrote:

> I've been pulling my hair out with this for nearly 4 days now. I have
> cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:
>
> SASL:
> ./configure --enable-plain --disable-krb4
> --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
>
> IMAP:
> ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
> --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
>
> Basically I CYRUS->SASLAUTHD->LDAP
>
> For some reason users intermittently will be prompted for their
password
> over and over. The sasl debug log show the following lines when that
> happens:
>
> Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more
than
> one entries found (uid=superman).
> Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
> service=imap realm=
>
> (ldap logs show nothing)
>
> The user always exists in the ldap directory. In fact 75% of the time
> they can login and use mail without problems. It seems like when I
> restart the ldap directory the AUTHFAILS stop happening for a while. I
> have the ldap directory restarting ldap every 5 minutes now, which
seems
> to be keeping the AUTHFAILS to a minimum (but they are still
happening).
>
>
> I immediately figured it was an LDAP problem. However, I've now tried
> openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried
each
> of these three versions on two different servers (one with redhat, one
> with debian). Both servers were completely different hardware. I also
> tried different versions of the ldap client library (and of course
> recompiled cyrus and sasl after trying each) on the cyrus server.
> Nothing stops these intermittent AUTHFAILS.
>
> Does anyone have any idea whats going on? I'm desperate. Any ideas
would
> be appreciated.
>


Are there any other saslauthd lines in the syslog?  What happens when
you run
ldapsearch -x -b ou=users,dc=location,dc=com -D
cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman
on the command line after you start getting AUTHFAIL messages?
How many entries, if any, are returned?

Your configuration looks good.

>
>
> SASLAUTHD.CONF:
>
> ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
> ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
> ldap_bind_pw: password
> ldap_auth_method: bind
> ldap_search_base: ou=users,dc=location,dc=com
> ldap_debug: 5000
> ldap_timeout: 15 # tried multiple values here too
> ldap_time_limit: 15 # tried multiple values here too
>
>
> IMAPD.CONF
>
> configdirectory: /export/cyrus/imap
> partition-default: /export/cyrus/spool/imap
> admins: admin
> #sasl_pwcheck_method: pam
>
> tls_cert_file: /export/cyrus/server.pem
> tls_key_file: /export/cyrus/server.pem
>
> allowanonymouslogin: no
> allowplaintext: yes
> sasl_mech_list: PLAIN
> servername: localhost
> autocreatequota: 10000
> reject8bit: no
> quotawarn: 90
> timeout: 30
> poptimeout: 10
> dracinterval: 0
> drachost: localhost
> sasl_pwcheck_method: saslauthd
> #sievedir: /usr/sieve
> #sendmail: /usr/sbin/sendmail
> #sieve_maxscriptsize: 32
> #sieve_maxscripts: 5
>
> # Get rid of folders as subfolders of INBOX
> altnamespace: yes
> unixhierarchysep: yes
>
>
>

-- 
Igor







More information about the Info-cyrus mailing list