disallow bind_anon creates problem in cyrus

Michael Menge michael.menge at zdv.uni-tuebingen.de
Wed Mar 21 02:51:17 EST 2007 

If you use pam, you have to set the binddn and bindpw in /etc/ldap.conf

Quoting JOYDEEP <j.bakshi at unlimitedmail.org>:

> Roland Felnhofer wrote:
>> Hi,
>>
>> hmm, let me guess - you are running saslauthd with -a PAM?!
>>
>> try running it     /usr/sbin/saslauthd -a ldap
>> no need (with a more or less up-to-date version of saslauthd) to do it
>> via PAM - use LDAP directly. Less layers less potential problems.
>>
>> What log entry and result do you get by executing:
>>    ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D
>> cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab
> Dear friend Roland,
> Thanks a lot for pointing out the problem.  with *disallow bind_anon* I
> can successfully log in by executing */usr/sbin/saslauthd -a ldap*
> Thanks a lot. But my saslauthd is configured to support both pam and
> ldap. it is required to access cyrus admin as it is based on pam.
> u can check my  /etc/pam.d/imap
> -----------------------------------------
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix.so
> ------------------------------------------------------------
>
> So based on this configuration both pam and ldap authentication is
> working except the *disallow bind_anon* in cyrus.
> but *disallow bind_anon* is working well with my present config with
> ldapsearch. So I have to fix this cyrus issue here.
> could u suggest any alternative please ?
> thanks and have a great day.
>>
>> Best regards
>> Roland
>>
>> JOYDEEP wrote:
>>> Roland Felnhofer wrote:
>>>
>>>> Hi,
>>>>
>>>> that should give you a hint:
>>>>
>>>>
>>>>        saslauthd.conf
>>>>
>>>> ldap_servers: ldap://127.0.0.1
>>>> ldap_search_base: ou=people,dc=example,dc=com
>>>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
>>>> ldap_password: password
>>>> ldap_scope: one
>>>> ldap_uidattr: uid
>>>> ldap_filter_mode:  yes
>>>> ldap_filter: uid=%u
>>>>
>>>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>>>> ldap_password) should be sufficient.
>>>>
>>>>
>>> Dear Roland, thanks for your response.
>>> I already have the following entries in my saslauthd.conf
>>> ---------------------------------------------------------------------
>>> ldap_servers: ldap://localhost:389
>>> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
>>> ldap_bind_pw: secret
>>> ldap_search_base:  ou=Users,dc=kolkatainfoservices,dc=in
>>> ldap_version: 3
>>> ldap_filter: uid=%U
>>> ldap_default_domain: kolkatainfoservices.in
>>> --------------------------------------------------------------------------
>>>
>>>
>>> But having problem with  *disallow bind_anon*. I have also checked the
>>> settings u hv suggested
>>> like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
>>> no success yet.
>>>
>>> executing cyradm with valid user (in LDAP) and password reports
>>> ----------------------------------------------------
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
>>> IP=127.0.0.1:34512 (IP=0.0.0.0:389)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0
>>> text=
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
>>> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
>>> filter="(uid=aftab)"
>>> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
>>> index_param failed (18)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
>>> err=0 nentries=1 text=
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
>>> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
>>> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
>>> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
>>> credentials)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49
>>> text=
>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
>>> Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth failure:
>>> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>>> Mar 20 14:52:06 linux imap[20519]: badlogin:
>>> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
>>> authentication failure: checkpass failed
>>> ------------------------------------------------------------------------------
>>>
>>>
>>> could u kindly help me to fix the problem as my system has a security
>>> risk untill I stop the anynomous  user login.
>>> thanks
>>>
>>>
>>>> Best regards
>>>> Roland
>>>>
>>>>
>>>> JOYDEEP wrote:
>>>>
>>>>> Dear list,
>>>>>
>>>>> to secure my ldap server I have added the line "disallow bind_anon" in
>>>>> slapd.conf.
>>>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>>>> anonymous bind.
>>>>> But I have now problem to use cyrus as it also based on LDAP
>>>>> authentication.
>>>>> I can't log in in cyrus with Correct userid and passwd but if I
>>>>> disable
>>>>> the "disallow bind_anon"   I can again use cyrus.
>>>>>
>>>>> Could any one kindly sugeest me to  fix it ?
>>>>>
>>>>> here is my /etc/imapd.conf
>>>>>
>>>>> ==============================================================
>>>>> configdirectory: /var/lib/imap
>>>>> partition-default: /var/spool/imap
>>>>> sievedir: /var/lib/sieve
>>>>> admins: cyrus
>>>>> allowplaintext: yes
>>>>> sasl_mech_list: LOGIN PLAIN
>>>>> allowanonymouslogin: no
>>>>> autocreatequota: 10000
>>>>> reject8bit: no
>>>>> quotawarn: 90
>>>>> timeout: 30
>>>>> poptimeout: 10
>>>>> dracinterval: 0
>>>>> drachost: localhost
>>>>> sasl_pwcheck_method: saslauthd
>>>>> servername:linux.kolkatainfoservices.in
>>>>> lmtp_overquota_perm_failure: no
>>>>> lmtp_downcase_rcpt: yes
>>>>> unixhierarchysep:  yes
>>>>> loginrealms:   kolkatainfoservices.in
>>>>> hashimapspool: true
>>>>> lmtpsocket:  /var/lib/imap/socket/lmtp
>>>>> ==============================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ----
>>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>
>>>
>>>
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>



--------------------------------------------------------------------------------
M.Menge                                 Tel.: (49) 7071/29-70316
Universitaet Tuebingen                  Fax.: (49) 7071/29-5912
Zentrum fuer Datenverarbeitung          mail:  
michael.menge at zdv.uni-tuebingen.de
Waechterstrasse 76
72074 Tuebingen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5469 bytes
Desc: S/MIME krytographische Unterschrift
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20070321/b9c9c371/smime.bin

More information about the Info-cyrus mailing list