Michael Menge wrote: > If you use pam, you have to set the binddn and bindpw in /etc/ldap.conf OK. should I copy these from slapd.conf ? > > Quoting JOYDEEP <j.bakshi@xxxxxxxxxxxxxxxxx>: > >> Roland Felnhofer wrote: >>> Hi, >>> >>> hmm, let me guess - you are running saslauthd with -a PAM?! >>> >>> try running it /usr/sbin/saslauthd -a ldap >>> no need (with a more or less up-to-date version of saslauthd) to do it >>> via PAM - use LDAP directly. Less layers less potential problems. >>> >>> What log entry and result do you get by executing: >>> ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D >>> cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab >> Dear friend Roland, >> Thanks a lot for pointing out the problem. with *disallow bind_anon* I >> can successfully log in by executing */usr/sbin/saslauthd -a ldap* >> Thanks a lot. But my saslauthd is configured to support both pam and >> ldap. it is required to access cyrus admin as it is based on pam. >> u can check my /etc/pam.d/imap >> ----------------------------------------- >> auth sufficient /lib/security/pam_ldap.so >> auth required /lib/security/pam_unix.so try_first_pass >> account sufficient /lib/security/pam_ldap.so >> account required /lib/security/pam_unix.so >> ------------------------------------------------------------ >> >> So based on this configuration both pam and ldap authentication is >> working except the *disallow bind_anon* in cyrus. >> but *disallow bind_anon* is working well with my present config with >> ldapsearch. So I have to fix this cyrus issue here. >> could u suggest any alternative please ? >> thanks and have a great day. >>> >>> Best regards >>> Roland >>> >>> JOYDEEP wrote: >>>> Roland Felnhofer wrote: >>>> >>>>> Hi, >>>>> >>>>> that should give you a hint: >>>>> >>>>> >>>>> saslauthd.conf >>>>> >>>>> ldap_servers: ldap://127.0.0.1 >>>>> ldap_search_base: ou=people,dc=example,dc=com >>>>> ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com >>>>> ldap_password: password >>>>> ldap_scope: one >>>>> ldap_uidattr: uid >>>>> ldap_filter_mode: yes >>>>> ldap_filter: uid=%u >>>>> >>>>> The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn, >>>>> ldap_password) should be sufficient. >>>>> >>>>> >>>> Dear Roland, thanks for your response. >>>> I already have the following entries in my saslauthd.conf >>>> --------------------------------------------------------------------- >>>> ldap_servers: ldap://localhost:389 >>>> ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in >>>> ldap_bind_pw: secret >>>> ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in >>>> ldap_version: 3 >>>> ldap_filter: uid=%U >>>> ldap_default_domain: kolkatainfoservices.in >>>> -------------------------------------------------------------------------- >>>> >>>> >>>> >>>> But having problem with *disallow bind_anon*. I have also checked the >>>> settings u hv suggested >>>> like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but >>>> no success yet. >>>> >>>> executing cyradm with valid user (in LDAP) and password reports >>>> ---------------------------------------------------- >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from >>>> IP=127.0.0.1:34512 (IP=0.0.0.0:389) >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128 >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 >>>> text= >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH >>>> base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0 >>>> filter="(uid=aftab)" >>>> Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid) >>>> index_param failed (18) >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101 >>>> err=0 nentries=1 text= >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND >>>> dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128 >>>> Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind >>>> as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid >>>> credentials) >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 >>>> text= >>>> Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128 >>>> Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth >>>> failure: >>>> [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth >>>> error] >>>> Mar 20 14:52:06 linux imap[20519]: badlogin: >>>> linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13): >>>> authentication failure: checkpass failed >>>> ------------------------------------------------------------------------------ >>>> >>>> >>>> >>>> could u kindly help me to fix the problem as my system has a security >>>> risk untill I stop the anynomous user login. >>>> thanks >>>> >>>> >>>>> Best regards >>>>> Roland >>>>> >>>>> >>>>> JOYDEEP wrote: >>>>> >>>>>> Dear list, >>>>>> >>>>>> to secure my ldap server I have added the line "disallow >>>>>> bind_anon" in >>>>>> slapd.conf. >>>>>> I have checked by "ldapsearch" command and now my ldap doesn't allow >>>>>> anonymous bind. >>>>>> But I have now problem to use cyrus as it also based on LDAP >>>>>> authentication. >>>>>> I can't log in in cyrus with Correct userid and passwd but if I >>>>>> disable >>>>>> the "disallow bind_anon" I can again use cyrus. >>>>>> >>>>>> Could any one kindly sugeest me to fix it ? >>>>>> >>>>>> here is my /etc/imapd.conf >>>>>> >>>>>> ============================================================== >>>>>> configdirectory: /var/lib/imap >>>>>> partition-default: /var/spool/imap >>>>>> sievedir: /var/lib/sieve >>>>>> admins: cyrus >>>>>> allowplaintext: yes >>>>>> sasl_mech_list: LOGIN PLAIN >>>>>> allowanonymouslogin: no >>>>>> autocreatequota: 10000 >>>>>> reject8bit: no >>>>>> quotawarn: 90 >>>>>> timeout: 30 >>>>>> poptimeout: 10 >>>>>> dracinterval: 0 >>>>>> drachost: localhost >>>>>> sasl_pwcheck_method: saslauthd >>>>>> servername:linux.kolkatainfoservices.in >>>>>> lmtp_overquota_perm_failure: no >>>>>> lmtp_downcase_rcpt: yes >>>>>> unixhierarchysep: yes >>>>>> loginrealms: kolkatainfoservices.in >>>>>> hashimapspool: true >>>>>> lmtpsocket: /var/lib/imap/socket/lmtp >>>>>> ============================== >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ---- >>>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ >>>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki >>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html >>>>>> >>>> >>>> >> >> ---- >> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ >> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki >> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html >> > > > > -------------------------------------------------------------------------------- > > M.Menge Tel.: (49) 7071/29-70316 > Universitaet Tuebingen Fax.: (49) 7071/29-5912 > Zentrum fuer Datenverarbeitung mail: > michael.menge@xxxxxxxxxxxxxxxxxxxx > Waechterstrasse 76 > 72074 Tuebingen > ------------------------------------------------------------------------ > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
