disallow bind_anon creates problem in cyrus

Roland Felnhofer roland.felnhofer at chello.at
Thu Mar 22 17:18:59 EST 2007


Hi,

FIRST: Please buy a Linux book and read it!!

http://www.oreilly.com/catalog/runlinux5/ inx.html =

<http://www.oreilly.com/catalog/runlinux5/inx.html>
http://www.oreilly.com/catalog/linuxss2/ inx.html =

<http://www.oreilly.com/catalog/linuxss2/inx.html>
http://www.oreilly.com/catalog/linuxckbk/ inx.html =

<http://www.oreilly.com/catalog/linuxckbk/inx.html>
http://www.oreilly.com/catalog/esapr/ inx.html =

<http://www.oreilly.com/catalog/esapr/inx.html>
http://www.oreilly.com/catalog/linag3/ inx.html =

<http://www.oreilly.com/catalog/linag3/inx.html>

> But my saslauthd is configured to support both pam and
> ldap
Hint: Actually saslauthd does not "support" PAM and LDAP as a "provider" =

it's a "user" of these services as its authentication source. Where PAM =

again uses other sources as its  authentication source (passwd, shadow, =

LDAP,...)

To find out what I meant with that and how it affects you, consult the =

books I recommended to buy.

Best regards
Roland

JOYDEEP wrote:
> Roland Felnhofer wrote:
>   =

>> Hi,
>>
>> hmm, let me guess - you are running saslauthd with -a PAM?!
>>
>> try running it     /usr/sbin/saslauthd -a ldap
>> no need (with a more or less up-to-date version of saslauthd) to do it
>> via PAM - use LDAP directly. Less layers less potential problems.
>>
>> What log entry and result do you get by executing:
>>    ldapsearch -x -b ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din -D
>> cn=3DManager,dc=3Dkolkatainfoservices,dc=3Din -w secret uid=3Daftab
>>     =

> Dear friend Roland,
> Thanks a lot for pointing out the problem.  with *disallow bind_anon* I
> can successfully log in by executing */usr/sbin/saslauthd -a ldap*
> Thanks a lot. But my saslauthd is configured to support both pam and
> ldap. it is required to access cyrus admin as it is based on pam.
> u can check my  /etc/pam.d/imap
> -----------------------------------------
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix.so
> ------------------------------------------------------------
>
> So based on this configuration both pam and ldap authentication is
> working except the *disallow bind_anon* in cyrus.
> but *disallow bind_anon* is working well with my present config with
> ldapsearch. So I have to fix this cyrus issue here.
> could u suggest any alternative please ?
> thanks and have a great day.
>   =

>> Best regards
>> Roland
>>
>> JOYDEEP wrote:
>>     =

>>> Roland Felnhofer wrote:
>>>  =

>>>       =

>>>> Hi,
>>>>
>>>> that should give you a hint:
>>>>
>>>>
>>>>        saslauthd.conf
>>>>
>>>> ldap_servers: ldap://127.0.0.1
>>>> ldap_search_base: ou=3Dpeople,dc=3Dexample,dc=3Dcom
>>>> ldap_bind_dn: cn=3Dproxyagent,ou=3Dspecial_users,dc=3Dexample,dc=3Dcom
>>>> ldap_password: password
>>>> ldap_scope: one
>>>> ldap_uidattr: uid
>>>> ldap_filter_mode:  yes
>>>> ldap_filter: uid=3D%u
>>>>
>>>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
>>>> ldap_password) should be sufficient.
>>>>
>>>>     =

>>>>         =

>>> Dear Roland, thanks for your response.
>>> I already have the following entries in my saslauthd.conf
>>> ---------------------------------------------------------------------
>>> ldap_servers: ldap://localhost:389
>>> ldap_bind_dn: cn=3DManager,dc=3Dkolkatainfoservices,dc=3Din
>>> ldap_bind_pw: secret
>>> ldap_search_base:  ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din
>>> ldap_version: 3
>>> ldap_filter: uid=3D%U
>>> ldap_default_domain: kolkatainfoservices.in
>>> -----------------------------------------------------------------------=
---
>>>
>>>
>>> But having problem with  *disallow bind_anon*. I have also checked the
>>> settings u hv suggested
>>> like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
>>> no success yet.
>>>
>>> executing cyradm with valid user (in LDAP) and password reports
>>> ----------------------------------------------------
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 fd=3D13 ACCEPT from
>>> IP=3D127.0.0.1:34512 (IP=3D0.0.0.0:389)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D0 BIND dn=3D"" method=
=3D128
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D0 RESULT tag=3D97 err=
=3D0
>>> text=3D
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D1 SRCH
>>> base=3D"ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din" scope=3D2 deref=3D0
>>> filter=3D"(uid=3Daftab)"
>>> Mar 20 14:52:06 linux slapd[20480]: <=3D bdb_equality_candidates: (uid)
>>> index_param failed (18)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D1 SEARCH RESULT tag=
=3D101
>>> err=3D0 nentries=3D1 text=3D
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D2 BIND
>>> dn=3D"uid=3Daftab,ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din" method=
=3D128
>>> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
>>> as user "uid=3Daftab,ou=3DUsers,dc=3Dkolkatainfoservices,dc=3Din" (Inva=
lid
>>> credentials)
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D2 RESULT tag=3D97 err=
=3D49
>>> text=3D
>>> Mar 20 14:52:06 linux slapd[20480]: conn=3D1 op=3D3 BIND dn=3D"" method=
=3D128
>>> Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth failure:
>>> [user=3Daftab] [service=3Dimap] [realm=3D] [mech=3Dpam] [reason=3DPAM a=
uth error]
>>> Mar 20 14:52:06 linux imap[20519]: badlogin:
>>> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
>>> authentication failure: checkpass failed
>>> -----------------------------------------------------------------------=
-------
>>>
>>>
>>> could u kindly help me to fix the problem as my system has a security
>>> risk untill I stop the anynomous  user login.
>>> thanks
>>>
>>>  =

>>>       =

>>>> Best regards
>>>> Roland
>>>>
>>>>
>>>> JOYDEEP wrote:
>>>>    =

>>>>         =

>>>>> Dear list,
>>>>>
>>>>> to secure my ldap server I have added the line "disallow bind_anon" in
>>>>> slapd.conf.
>>>>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>>>>> anonymous bind.
>>>>> But I have now problem to use cyrus as it also based on LDAP
>>>>> authentication.
>>>>> I can't log in in cyrus with Correct userid and passwd but if I
>>>>> disable
>>>>> the "disallow bind_anon"   I can again use cyrus.
>>>>>
>>>>> Could any one kindly sugeest me to  fix it ?
>>>>>
>>>>> here is my /etc/imapd.conf
>>>>>
>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>>> configdirectory: /var/lib/imap
>>>>> partition-default: /var/spool/imap
>>>>> sievedir: /var/lib/sieve
>>>>> admins: cyrus
>>>>> allowplaintext: yes
>>>>> sasl_mech_list: LOGIN PLAIN
>>>>> allowanonymouslogin: no
>>>>> autocreatequota: 10000
>>>>> reject8bit: no
>>>>> quotawarn: 90
>>>>> timeout: 30
>>>>> poptimeout: 10
>>>>> dracinterval: 0
>>>>> drachost: localhost
>>>>> sasl_pwcheck_method: saslauthd
>>>>> servername:linux.kolkatainfoservices.in
>>>>> lmtp_overquota_perm_failure: no
>>>>> lmtp_downcase_rcpt: yes
>>>>> unixhierarchysep:  yes
>>>>> loginrealms:   kolkatainfoservices.in
>>>>> hashimapspool: true
>>>>> lmtpsocket:  /var/lib/imap/socket/lmtp
>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ----
>>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>         =

>>>>>           =

>>>   =

>>>       =

>
>   =

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3673 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20070322=
/74ca3c3d/smime.bin


More information about the Info-cyrus mailing list