Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

Lee Hoffman lee_hoffman at brown.edu
Fri Sep 20 17:25:38 EDT 2002 

I've been pulling my hair out with this for nearly 4 days now. I have
cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:

SASL:
./configure --enable-plain --disable-krb4
--with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib

IMAP:
./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
--with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no

Basically I CYRUS->SASLAUTHD->LDAP

For some reason users intermittently will be prompted for their password
over and over. The sasl debug log show the following lines when that
happens:

Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more than
one entries found (uid=superman).
Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
service=imap realm=

(ldap logs show nothing)

The user always exists in the ldap directory. In fact 75% of the time
they can login and use mail without problems. It seems like when I
restart the ldap directory the AUTHFAILS stop happening for a while. I
have the ldap directory restarting ldap every 5 minutes now, which seems
to be keeping the AUTHFAILS to a minimum (but they are still happening).


I immediately figured it was an LDAP problem. However, I've now tried
openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried each
of these three versions on two different servers (one with redhat, one
with debian). Both servers were completely different hardware. I also
tried different versions of the ldap client library (and of course
recompiled cyrus and sasl after trying each) on the cyrus server.
Nothing stops these intermittent AUTHFAILS. 

Does anyone have any idea whats going on? I'm desperate. Any ideas would
be appreciated.

Thanks,
Lee



SASLAUTHD.CONF:

ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
ldap_bind_pw: password
ldap_auth_method: bind
ldap_search_base: ou=users,dc=location,dc=com
ldap_debug: 5000
ldap_timeout: 15 # tried multiple values here too
ldap_time_limit: 15 # tried multiple values here too


IMAPD.CONF

configdirectory: /export/cyrus/imap
partition-default: /export/cyrus/spool/imap
admins: admin
#sasl_pwcheck_method: pam

tls_cert_file: /export/cyrus/server.pem
tls_key_file: /export/cyrus/server.pem

allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: localhost
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
#sievedir: /usr/sieve
#sendmail: /usr/sbin/sendmail
#sieve_maxscriptsize: 32
#sieve_maxscripts: 5

# Get rid of folders as subfolders of INBOX
altnamespace: yes 
unixhierarchysep: yes

More information about the Info-cyrus mailing list