disallow bind_anon creates problem in cyrus

Roland Felnhofer roland.felnhofer at chello.at
Tue Mar 20 07:30:53 EST 2007 

Hi,

hmm, let me guess - you are running saslauthd with -a PAM?!

try running it     /usr/sbin/saslauthd -a ldap
no need (with a more or less up-to-date version of saslauthd) to do it =

via PAM - use LDAP directly. Less layers less potential problems.

What log entry and result do you get by executing:
    ldapsearch -x -b ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din -D =

cn=3DManager,dc=3Dkolkatainfoservices,dc=3Din -w secret uid=3Daftab

Best regards
Roland

JOYDEEP wrote:
> Roland Felnhofer wrote:
>   =

>> Hi,
>>
>> that should give you a hint:
>>
>>
>>        saslauthd.conf
>>
>> ldap_servers: ldap://127.0.0.1
>> ldap_search_base: ou=3Dpeople,dc=3Dexample,dc=3Dcom
>> ldap_bind_dn: cn=3Dproxyagent,ou=3Dspecial_users,dc=3Dexample,dc=3Dcom
>> ldap_password: password
>> ldap_scope: one
>> ldap_uidattr: uid
>> ldap_filter_mode:  yes
>> ldap_filter: uid=3D%u
>>
>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>> ldap_password) should be sufficient.
>>
>>     =

> Dear Roland, thanks for your response.
> I already have the following entries in my saslauthd.conf
> ---------------------------------------------------------------------
> ldap_servers: ldap://localhost:389
> ldap_bind_dn: cn=3DManager,dc=3Dkolkatainfoservices,dc=3Din
> ldap_bind_pw: secret
> ldap_search_base:  ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din
> ldap_version: 3
> ldap_filter: uid=3D%U
> ldap_default_domain: kolkatainfoservices.in
> --------------------------------------------------------------------------
>
> But having problem with  *disallow bind_anon*. I have also checked the
> settings u hv suggested
> like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
> no success yet.
>
> executing cyradm with valid user (in LDAP) and password reports
> ----------------------------------------------------
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 fd=3D13 ACCEPT from
> IP=3D127.0.0.1:34512 (IP=3D0.0.0.0:389)
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D0 BIND dn=3D"" method=
=3D128
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D0 RESULT tag=3D97 err=
=3D0 text=3D
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D1 SRCH
> base=3D"ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din" scope=3D2 deref=3D0
> filter=3D"(uid=3Daftab)"
> Mar 20 14:52:06 linux slapd[20480]: <=3D bdb_equality_candidates: (uid)
> index_param failed (18)
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D1 SEARCH RESULT tag=3D1=
01
> err=3D0 nentries=3D1 text=3D
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D2 BIND
> dn=3D"uid=3Daftab,ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din" method=3D1=
28
> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
> as user "uid=3Daftab,ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din" (Invalid
> credentials)
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D2 RESULT tag=3D97 err=
=3D49 text=3D
> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D3 BIND dn=3D"" method=
=3D128
> Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth failure:
> [user=3Daftab] [service=3Dimap] [realm=3D] [mech=3Dpam] [reason=3DPAM aut=
h error]
> Mar 20 14:52:06 linux imap[20519]: badlogin:
> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
> authentication failure: checkpass failed
> -------------------------------------------------------------------------=
-----
>
> could u kindly help me to fix the problem as my system has a security
> risk untill I stop the anynomous  user login.
> thanks
>
>   =

>> Best regards
>> Roland
>>
>>
>> JOYDEEP wrote:
>>     =

>>> Dear list,
>>>
>>> to secure my ldap server I have added the line "disallow bind_anon" in
>>> slapd.conf.
>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>> anonymous bind.
>>> But I have now problem to use cyrus as it also based on LDAP
>>> authentication.
>>> I can't log in in cyrus with Correct userid and passwd but if I disable
>>> the "disallow bind_anon"   I can again use cyrus.
>>>
>>> Could any one kindly sugeest me to  fix it ?
>>>
>>> here is my /etc/imapd.conf
>>>
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>> configdirectory: /var/lib/imap
>>> partition-default: /var/spool/imap
>>> sievedir: /var/lib/sieve
>>> admins: cyrus
>>> allowplaintext: yes
>>> sasl_mech_list: LOGIN PLAIN
>>> allowanonymouslogin: no
>>> autocreatequota: 10000
>>> reject8bit: no
>>> quotawarn: 90
>>> timeout: 30
>>> poptimeout: 10
>>> dracinterval: 0
>>> drachost: localhost
>>> sasl_pwcheck_method: saslauthd
>>> servername:linux.kolkatainfoservices.in
>>> lmtp_overquota_perm_failure: no
>>> lmtp_downcase_rcpt: yes
>>> unixhierarchysep:  yes
>>> loginrealms:   kolkatainfoservices.in
>>> hashimapspool: true
>>> lmtpsocket:  /var/lib/imap/socket/lmtp
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
>>>
>>>
>>>
>>>
>>>
>>>
>>> ----
>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>   =

>>>       =

>
>   =

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3673 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20070320=
/46749f2e/smime.bin

More information about the Info-cyrus mailing list