Re: disallow bind_anon creates problem in cyrus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Roland Felnhofer wrote:
> Hi,
>
> that should give you a hint:
>
>
>        saslauthd.conf
>
> ldap_servers: ldap://127.0.0.1
> ldap_search_base: ou=people,dc=example,dc=com
> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
> ldap_password: password
> ldap_scope: one
> ldap_uidattr: uid
> ldap_filter_mode:  yes
> ldap_filter: uid=%u
>
> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
> ldap_password) should be sufficient.
>
Dear Roland, thanks for your response.
I already have the following entries in my saslauthd.conf
---------------------------------------------------------------------
ldap_servers: ldap://localhost:389
ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
ldap_bind_pw: secret
ldap_search_base:  ou=Users,dc=kolkatainfoservices,dc=in
ldap_version: 3
ldap_filter: uid=%U
ldap_default_domain: kolkatainfoservices.in
--------------------------------------------------------------------------

But having problem with  *disallow bind_anon*. I have also checked the
settings u hv suggested
like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
no success yet.

executing cyradm with valid user (in LDAP) and password reports
----------------------------------------------------
Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
IP=127.0.0.1:34512 (IP=0.0.0.0:389)
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 text=
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
filter="(uid=aftab)"
Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
index_param failed (18)
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
credentials)
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 text=
Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth failure:
[user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
Mar 20 14:52:06 linux imap[20519]: badlogin:
linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
authentication failure: checkpass failed
------------------------------------------------------------------------------

could u kindly help me to fix the problem as my system has a security
risk untill I stop the anynomous  user login.
thanks

>
>
> Best regards
> Roland
>
>
> JOYDEEP wrote:
>> Dear list,
>>
>> to secure my ldap server I have added the line "disallow bind_anon" in
>> slapd.conf.
>> I have checked by "ldapsearch" command and now my ldap doesn't allow
>> anonymous bind.
>> But I have now problem to use cyrus as it also based on LDAP
>> authentication.
>> I can't log in in cyrus with Correct userid and passwd but if I disable
>> the "disallow bind_anon"   I can again use cyrus.
>>
>> Could any one kindly sugeest me to  fix it ?
>>
>> here is my /etc/imapd.conf
>>
>> ==============================================================
>> configdirectory: /var/lib/imap
>> partition-default: /var/spool/imap
>> sievedir: /var/lib/sieve
>> admins: cyrus
>> allowplaintext: yes
>> sasl_mech_list: LOGIN PLAIN
>> allowanonymouslogin: no
>> autocreatequota: 10000
>> reject8bit: no
>> quotawarn: 90
>> timeout: 30
>> poptimeout: 10
>> dracinterval: 0
>> drachost: localhost
>> sasl_pwcheck_method: saslauthd
>> servername:linux.kolkatainfoservices.in
>> lmtp_overquota_perm_failure: no
>> lmtp_downcase_rcpt: yes
>> unixhierarchysep:  yes
>> loginrealms:   kolkatainfoservices.in
>> hashimapspool: true
>> lmtpsocket:  /var/lib/imap/socket/lmtp
>> ==============================
>>
>>
>>
>>
>>
>>
>> ----
>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>   

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux