Roland Felnhofer wrote: > Hi, > > hmm, let me guess - you are running saslauthd with -a PAM?! > > try running it /usr/sbin/saslauthd -a ldap > no need (with a more or less up-to-date version of saslauthd) to do it > via PAM - use LDAP directly. Less layers less potential problems. > > What log entry and result do you get by executing: > ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D > cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab Dear friend Roland, Thanks a lot for pointing out the problem. with *disallow bind_anon* I can successfully log in by executing */usr/sbin/saslauthd -a ldap* Thanks a lot. But my saslauthd is configured to support both pam and ldap. it is required to access cyrus admin as it is based on pam. u can check my /etc/pam.d/imap ----------------------------------------- auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix.so ------------------------------------------------------------ So based on this configuration both pam and ldap authentication is working except the *disallow bind_anon* in cyrus. but *disallow bind_anon* is working well with my present config with ldapsearch. So I have to fix this cyrus issue here. could u suggest any alternative please ? thanks and have a great day. > > Best regards > Roland > > JOYDEEP wrote: >> Roland Felnhofer wrote: >> >>> Hi, >>> >>> that should give you a hint: >>> >>> >>> saslauthd.conf >>> >>> ldap_servers: ldap://127.0.0.1 >>> ldap_search_base: ou=people,dc=example,dc=com >>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com >>> ldap_password: password >>> ldap_scope: one >>> ldap_uidattr: uid >>> ldap_filter_mode: yes >>> ldap_filter: uid=%u >>> >>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn, >>> ldap_password) should be sufficient. >>> >>> >> Dear Roland, thanks for your response. >> I already have the following entries in my saslauthd.conf >> --------------------------------------------------------------------- >> ldap_servers: ldap://localhost:389 >> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in >> ldap_bind_pw: secret >> ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in >> ldap_version: 3 >> ldap_filter: uid=%U >> ldap_default_domain: kolkatainfoservices.in >> -------------------------------------------------------------------------- >> >> >> But having problem with *disallow bind_anon*. I have also checked the >> settings u hv suggested >> like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but >> no success yet. >> >> executing cyradm with valid user (in LDAP) and password reports >> ---------------------------------------------------- >> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from >> IP=127.0.0.1:34512 (IP=0.0.0.0:389) >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128 >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 >> text= >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH >> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0 >> filter="(uid=aftab)" >> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid) >> index_param failed (18) >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101 >> err=0 nentries=1 text= >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND >> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128 >> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind >> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid >> credentials) >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 >> text= >> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128 >> Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth failure: >> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] >> Mar 20 14:52:06 linux imap[20519]: badlogin: >> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13): >> authentication failure: checkpass failed >> ------------------------------------------------------------------------------ >> >> >> could u kindly help me to fix the problem as my system has a security >> risk untill I stop the anynomous user login. >> thanks >> >> >>> Best regards >>> Roland >>> >>> >>> JOYDEEP wrote: >>> >>>> Dear list, >>>> >>>> to secure my ldap server I have added the line "disallow bind_anon" in >>>> slapd.conf. >>>> I have checked by "ldapsearch" command and now my ldap doesn't allow >>>> anonymous bind. >>>> But I have now problem to use cyrus as it also based on LDAP >>>> authentication. >>>> I can't log in in cyrus with Correct userid and passwd but if I >>>> disable >>>> the "disallow bind_anon" I can again use cyrus. >>>> >>>> Could any one kindly sugeest me to fix it ? >>>> >>>> here is my /etc/imapd.conf >>>> >>>> ============================================================== >>>> configdirectory: /var/lib/imap >>>> partition-default: /var/spool/imap >>>> sievedir: /var/lib/sieve >>>> admins: cyrus >>>> allowplaintext: yes >>>> sasl_mech_list: LOGIN PLAIN >>>> allowanonymouslogin: no >>>> autocreatequota: 10000 >>>> reject8bit: no >>>> quotawarn: 90 >>>> timeout: 30 >>>> poptimeout: 10 >>>> dracinterval: 0 >>>> drachost: localhost >>>> sasl_pwcheck_method: saslauthd >>>> servername:linux.kolkatainfoservices.in >>>> lmtp_overquota_perm_failure: no >>>> lmtp_downcase_rcpt: yes >>>> unixhierarchysep: yes >>>> loginrealms: kolkatainfoservices.in >>>> hashimapspool: true >>>> lmtpsocket: /var/lib/imap/socket/lmtp >>>> ============================== >>>> >>>> >>>> >>>> >>>> >>>> >>>> ---- >>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ >>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki >>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html >>>> >> >> ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
