If you use pam, you have to set the binddn and bindpw in /etc/ldap.conf Quoting JOYDEEP <j.bakshi@xxxxxxxxxxxxxxxxx>:
Roland Felnhofer wrote:Hi, hmm, let me guess - you are running saslauthd with -a PAM?! try running it /usr/sbin/saslauthd -a ldap no need (with a more or less up-to-date version of saslauthd) to do it via PAM - use LDAP directly. Less layers less potential problems. What log entry and result do you get by executing: ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftabDear friend Roland, Thanks a lot for pointing out the problem. with *disallow bind_anon* I can successfully log in by executing */usr/sbin/saslauthd -a ldap* Thanks a lot. But my saslauthd is configured to support both pam and ldap. it is required to access cyrus admin as it is based on pam. u can check my /etc/pam.d/imap ----------------------------------------- auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix.so ------------------------------------------------------------ So based on this configuration both pam and ldap authentication is working except the *disallow bind_anon* in cyrus. but *disallow bind_anon* is working well with my present config with ldapsearch. So I have to fix this cyrus issue here. could u suggest any alternative please ? thanks and have a great day.Best regards Roland JOYDEEP wrote:Roland Felnhofer wrote:Hi, that should give you a hint: saslauthd.conf ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=people,dc=example,dc=com ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com ldap_password: password ldap_scope: one ldap_uidattr: uid ldap_filter_mode: yes ldap_filter: uid=%u The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn, ldap_password) should be sufficient.Dear Roland, thanks for your response. I already have the following entries in my saslauthd.conf --------------------------------------------------------------------- ldap_servers: ldap://localhost:389 ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in ldap_bind_pw: secret ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in ldap_version: 3 ldap_filter: uid=%U ldap_default_domain: kolkatainfoservices.in -------------------------------------------------------------------------- But having problem with *disallow bind_anon*. I have also checked the settings u hv suggested like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but no success yet. executing cyradm with valid user (in LDAP) and password reports ---------------------------------------------------- Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:34512 (IP=0.0.0.0:389) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128 Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0 filter="(uid=aftab)" Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid) index_param failed (18) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128 Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid credentials) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128 Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth failure: [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Mar 20 14:52:06 linux imap[20519]: badlogin: linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13): authentication failure: checkpass failed ------------------------------------------------------------------------------ could u kindly help me to fix the problem as my system has a security risk untill I stop the anynomous user login. thanksBest regards Roland JOYDEEP wrote:Dear list, to secure my ldap server I have added the line "disallow bind_anon" in slapd.conf. I have checked by "ldapsearch" command and now my ldap doesn't allow anonymous bind. But I have now problem to use cyrus as it also based on LDAP authentication. I can't log in in cyrus with Correct userid and passwd but if I disable the "disallow bind_anon" I can again use cyrus. Could any one kindly sugeest me to fix it ? here is my /etc/imapd.conf ============================================================== configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_mech_list: LOGIN PLAIN allowanonymouslogin: no autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd servername:linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes unixhierarchysep: yes loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp ============================== ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
-------------------------------------------------------------------------------- M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912Zentrum fuer Datenverarbeitung mail: michael.menge@xxxxxxxxxxxxxxxxxxxx
Waechterstrasse 76 72074 Tuebingen
Attachment:
smime.p7s
Description: S/MIME krytographische Unterschrift
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
