disallow bind_anon creates problem in cyrus

Wed Mar 21 01:07:28 EST 2007

Roland Felnhofer wrote:
> Hi,
>
> hmm, let me guess - you are running saslauthd with -a PAM?!
>
> try running it     /usr/sbin/saslauthd -a ldap
> no need (with a more or less up-to-date version of saslauthd) to do it
> via PAM - use LDAP directly. Less layers less potential problems.
>
> What log entry and result do you get by executing:
>    ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D
> cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab
Dear friend Roland,
Thanks a lot for pointing out the problem.  with *disallow bind_anon* I
can successfully log in by executing */usr/sbin/saslauthd -a ldap*
Thanks a lot. But my saslauthd is configured to support both pam and
ldap. it is required to access cyrus admin as it is based on pam.
u can check my  /etc/pam.d/imap
-----------------------------------------
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix.so
------------------------------------------------------------

So based on this configuration both pam and ldap authentication is
working except the *disallow bind_anon* in cyrus.
but *disallow bind_anon* is working well with my present config with
ldapsearch. So I have to fix this cyrus issue here.
could u suggest any alternative please ?
thanks and have a great day.
>
> Best regards
> Roland
>
> JOYDEEP wrote:
>> Roland Felnhofer wrote:
>>  
>>> Hi,
>>>
>>> that should give you a hint:
>>>
>>>
>>>        saslauthd.conf
>>>
>>> ldap_servers: ldap://127.0.0.1
>>> ldap_search_base: ou=people,dc=example,dc=com
>>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
>>> ldap_password: password
>>> ldap_scope: one
>>> ldap_uidattr: uid
>>> ldap_filter_mode:  yes
>>> ldap_filter: uid=%u
>>>
>>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>>> ldap_password) should be sufficient.
>>>
>>>     
>> Dear Roland, thanks for your response.
>> I already have the following entries in my saslauthd.conf
>> ---------------------------------------------------------------------
>> ldap_servers: ldap://localhost:389
>> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
>> ldap_bind_pw: secret
>> ldap_search_base:  ou=Users,dc=kolkatainfoservices,dc=in
>> ldap_version: 3
>> ldap_filter: uid=%U
>> ldap_default_domain: kolkatainfoservices.in
>> --------------------------------------------------------------------------
>>
>>
>> But having problem with  *disallow bind_anon*. I have also checked the
>> settings u hv suggested
>> like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
>> no success yet.
>>
>> executing cyradm with valid user (in LDAP) and password reports
>> ----------------------------------------------------
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
>> IP=127.0.0.1:34512 (IP=0.0.0.0:389)
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0
>> text=
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
>> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
>> filter="(uid=aftab)"
>> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
>> index_param failed (18)
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
>> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
>> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
>> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
>> credentials)
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49
>> text=
>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
>> Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth failure:
>> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>> Mar 20 14:52:06 linux imap[20519]: badlogin:
>> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
>> authentication failure: checkpass failed
>> ------------------------------------------------------------------------------
>>
>>
>> could u kindly help me to fix the problem as my system has a security
>> risk untill I stop the anynomous  user login.
>> thanks
>>
>>  
>>> Best regards
>>> Roland
>>>
>>>
>>> JOYDEEP wrote:
>>>    
>>>> Dear list,
>>>>
>>>> to secure my ldap server I have added the line "disallow bind_anon" in
>>>> slapd.conf.
>>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>>> anonymous bind.
>>>> But I have now problem to use cyrus as it also based on LDAP
>>>> authentication.
>>>> I can't log in in cyrus with Correct userid and passwd but if I
>>>> disable
>>>> the "disallow bind_anon"   I can again use cyrus.
>>>>
>>>> Could any one kindly sugeest me to  fix it ?
>>>>
>>>> here is my /etc/imapd.conf
>>>>
>>>> ==============================================================
>>>> configdirectory: /var/lib/imap
>>>> partition-default: /var/spool/imap
>>>> sievedir: /var/lib/sieve
>>>> admins: cyrus
>>>> allowplaintext: yes
>>>> sasl_mech_list: LOGIN PLAIN
>>>> allowanonymouslogin: no
>>>> autocreatequota: 10000
>>>> reject8bit: no
>>>> quotawarn: 90
>>>> timeout: 30
>>>> poptimeout: 10
>>>> dracinterval: 0
>>>> drachost: localhost
>>>> sasl_pwcheck_method: saslauthd
>>>> servername:linux.kolkatainfoservices.in
>>>> lmtp_overquota_perm_failure: no
>>>> lmtp_downcase_rcpt: yes
>>>> unixhierarchysep:  yes
>>>> loginrealms:   kolkatainfoservices.in
>>>> hashimapspool: true
>>>> lmtpsocket:  /var/lib/imap/socket/lmtp
>>>> ==============================
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----
>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>         
>>
>>