Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

Igor Brezac igor at ipass.net
Fri Sep 20 18:38:54 EDT 2002


On Fri, 20 Sep 2002, Lee Hoffman wrote:

> I've been pulling my hair out with this for nearly 4 days now. I have
> cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:
>
> SASL:
> ./configure --enable-plain --disable-krb4
> --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
>
> IMAP:
> ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
> --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
>
> Basically I CYRUS->SASLAUTHD->LDAP
>
> For some reason users intermittently will be prompted for their password
> over and over. The sasl debug log show the following lines when that
> happens:
>
> Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more than
> one entries found (uid=superman).
> Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
> service=imap realm=
>
> (ldap logs show nothing)
>
> The user always exists in the ldap directory. In fact 75% of the time
> they can login and use mail without problems. It seems like when I
> restart the ldap directory the AUTHFAILS stop happening for a while. I
> have the ldap directory restarting ldap every 5 minutes now, which seems
> to be keeping the AUTHFAILS to a minimum (but they are still happening).
>
>
> I immediately figured it was an LDAP problem. However, I've now tried
> openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried each
> of these three versions on two different servers (one with redhat, one
> with debian). Both servers were completely different hardware. I also
> tried different versions of the ldap client library (and of course
> recompiled cyrus and sasl after trying each) on the cyrus server.
> Nothing stops these intermittent AUTHFAILS.
>
> Does anyone have any idea whats going on? I'm desperate. Any ideas would
> be appreciated.
>


Are there any other saslauthd lines in the syslog?  What happens when you run
ldapsearch -x -b ou=users,dc=location,dc=com -D cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman
on the command line after you start getting AUTHFAIL messages?
How many entries, if any, are returned?

Your configuration looks good.

>
>
> SASLAUTHD.CONF:
>
> ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
> ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
> ldap_bind_pw: password
> ldap_auth_method: bind
> ldap_search_base: ou=users,dc=location,dc=com
> ldap_debug: 5000
> ldap_timeout: 15 # tried multiple values here too
> ldap_time_limit: 15 # tried multiple values here too
>
>
> IMAPD.CONF
>
> configdirectory: /export/cyrus/imap
> partition-default: /export/cyrus/spool/imap
> admins: admin
> #sasl_pwcheck_method: pam
>
> tls_cert_file: /export/cyrus/server.pem
> tls_key_file: /export/cyrus/server.pem
>
> allowanonymouslogin: no
> allowplaintext: yes
> sasl_mech_list: PLAIN
> servername: localhost
> autocreatequota: 10000
> reject8bit: no
> quotawarn: 90
> timeout: 30
> poptimeout: 10
> dracinterval: 0
> drachost: localhost
> sasl_pwcheck_method: saslauthd
> #sievedir: /usr/sieve
> #sendmail: /usr/sbin/sendmail
> #sieve_maxscriptsize: 32
> #sieve_maxscripts: 5
>
> # Get rid of folders as subfolders of INBOX
> altnamespace: yes
> unixhierarchysep: yes
>
>
>

-- 
Igor





More information about the Info-cyrus mailing list