disallow bind_anon creates problem in cyrus

JOYDEEP j.bakshi at unlimitedmail.org
Wed Mar 21 04:14:44 EST 2007 

Michael Menge wrote:
> If you use pam, you have to set the binddn and bindpw in /etc/ldap.conf
OK. should I copy these from slapd.conf ?

>
> Quoting JOYDEEP <j.bakshi at unlimitedmail.org>:
>
>> Roland Felnhofer wrote:
>>> Hi,
>>>
>>> hmm, let me guess - you are running saslauthd with -a PAM?!
>>>
>>> try running it     /usr/sbin/saslauthd -a ldap
>>> no need (with a more or less up-to-date version of saslauthd) to do it
>>> via PAM - use LDAP directly. Less layers less potential problems.
>>>
>>> What log entry and result do you get by executing:
>>>    ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D
>>> cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab
>> Dear friend Roland,
>> Thanks a lot for pointing out the problem.  with *disallow bind_anon* I
>> can successfully log in by executing */usr/sbin/saslauthd -a ldap*
>> Thanks a lot. But my saslauthd is configured to support both pam and
>> ldap. it is required to access cyrus admin as it is based on pam.
>> u can check my  /etc/pam.d/imap
>> -----------------------------------------
>> auth       sufficient   /lib/security/pam_ldap.so
>> auth       required     /lib/security/pam_unix.so try_first_pass
>> account    sufficient   /lib/security/pam_ldap.so
>> account    required     /lib/security/pam_unix.so
>> ------------------------------------------------------------
>>
>> So based on this configuration both pam and ldap authentication is
>> working except the *disallow bind_anon* in cyrus.
>> but *disallow bind_anon* is working well with my present config with
>> ldapsearch. So I have to fix this cyrus issue here.
>> could u suggest any alternative please ?
>> thanks and have a great day.
>>>
>>> Best regards
>>> Roland
>>>
>>> JOYDEEP wrote:
>>>> Roland Felnhofer wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> that should give you a hint:
>>>>>
>>>>>
>>>>>        saslauthd.conf
>>>>>
>>>>> ldap_servers: ldap://127.0.0.1
>>>>> ldap_search_base: ou=people,dc=example,dc=com
>>>>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
>>>>> ldap_password: password
>>>>> ldap_scope: one
>>>>> ldap_uidattr: uid
>>>>> ldap_filter_mode:  yes
>>>>> ldap_filter: uid=%u
>>>>>
>>>>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>>>>> ldap_password) should be sufficient.
>>>>>
>>>>>
>>>> Dear Roland, thanks for your response.
>>>> I already have the following entries in my saslauthd.conf
>>>> ---------------------------------------------------------------------
>>>> ldap_servers: ldap://localhost:389
>>>> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
>>>> ldap_bind_pw: secret
>>>> ldap_search_base:  ou=Users,dc=kolkatainfoservices,dc=in
>>>> ldap_version: 3
>>>> ldap_filter: uid=%U
>>>> ldap_default_domain: kolkatainfoservices.in
>>>> --------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> But having problem with  *disallow bind_anon*. I have also checked the
>>>> settings u hv suggested
>>>> like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
>>>> no success yet.
>>>>
>>>> executing cyradm with valid user (in LDAP) and password reports
>>>> ----------------------------------------------------
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
>>>> IP=127.0.0.1:34512 (IP=0.0.0.0:389)
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0
>>>> text=
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
>>>> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
>>>> filter="(uid=aftab)"
>>>> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
>>>> index_param failed (18)
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
>>>> err=0 nentries=1 text=
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
>>>> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
>>>> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
>>>> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
>>>> credentials)
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49
>>>> text=
>>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
>>>> Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth
>>>> failure:
>>>> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth
>>>> error]
>>>> Mar 20 14:52:06 linux imap[20519]: badlogin:
>>>> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
>>>> authentication failure: checkpass failed
>>>> ------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> could u kindly help me to fix the problem as my system has a security
>>>> risk untill I stop the anynomous  user login.
>>>> thanks
>>>>
>>>>
>>>>> Best regards
>>>>> Roland
>>>>>
>>>>>
>>>>> JOYDEEP wrote:
>>>>>
>>>>>> Dear list,
>>>>>>
>>>>>> to secure my ldap server I have added the line "disallow
>>>>>> bind_anon" in
>>>>>> slapd.conf.
>>>>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>>>>> anonymous bind.
>>>>>> But I have now problem to use cyrus as it also based on LDAP
>>>>>> authentication.
>>>>>> I can't log in in cyrus with Correct userid and passwd but if I
>>>>>> disable
>>>>>> the "disallow bind_anon"   I can again use cyrus.
>>>>>>
>>>>>> Could any one kindly sugeest me to  fix it ?
>>>>>>
>>>>>> here is my /etc/imapd.conf
>>>>>>
>>>>>> ==============================================================
>>>>>> configdirectory: /var/lib/imap
>>>>>> partition-default: /var/spool/imap
>>>>>> sievedir: /var/lib/sieve
>>>>>> admins: cyrus
>>>>>> allowplaintext: yes
>>>>>> sasl_mech_list: LOGIN PLAIN
>>>>>> allowanonymouslogin: no
>>>>>> autocreatequota: 10000
>>>>>> reject8bit: no
>>>>>> quotawarn: 90
>>>>>> timeout: 30
>>>>>> poptimeout: 10
>>>>>> dracinterval: 0
>>>>>> drachost: localhost
>>>>>> sasl_pwcheck_method: saslauthd
>>>>>> servername:linux.kolkatainfoservices.in
>>>>>> lmtp_overquota_perm_failure: no
>>>>>> lmtp_downcase_rcpt: yes
>>>>>> unixhierarchysep:  yes
>>>>>> loginrealms:   kolkatainfoservices.in
>>>>>> hashimapspool: true
>>>>>> lmtpsocket:  /var/lib/imap/socket/lmtp
>>>>>> ==============================
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----
>>>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>>
>>>>
>>>>
>>
>> ----
>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>
>
>
> --------------------------------------------------------------------------------
>
> M.Menge                                 Tel.: (49) 7071/29-70316
> Universitaet Tuebingen                  Fax.: (49) 7071/29-5912
> Zentrum fuer Datenverarbeitung          mail:
> michael.menge at zdv.uni-tuebingen.de
> Waechterstrasse 76
> 72074 Tuebingen
> ------------------------------------------------------------------------
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list