Re: disallow bind_anon creates problem in cyrus

[Roland Felnhofer <roland.felnhofer@xxxxxxxxx>]

Hi,

FIRST: Please buy a Linux book and read it!!

http://www.oreilly.com/catalog/runlinux5/ inx.html 
<http://www.oreilly.com/catalog/runlinux5/inx.html>
http://www.oreilly.com/catalog/linuxss2/ inx.html 
<http://www.oreilly.com/catalog/linuxss2/inx.html>
http://www.oreilly.com/catalog/linuxckbk/ inx.html 
<http://www.oreilly.com/catalog/linuxckbk/inx.html>
http://www.oreilly.com/catalog/esapr/ inx.html 
<http://www.oreilly.com/catalog/esapr/inx.html>
http://www.oreilly.com/catalog/linag3/ inx.html 
<http://www.oreilly.com/catalog/linag3/inx.html>

> But my saslauthd is configured to support both pam and
> ldap
Hint: Actually saslauthd does not "support" PAM and LDAP as a "provider" 
it's a "user" of these services as its authentication source. Where PAM 
again uses other sources as its  authentication source (passwd, shadow, 
LDAP,...)

To find out what I meant with that and how it affects you, consult the 
books I recommended to buy.

Best regards
Roland

JOYDEEP wrote:
> Roland Felnhofer wrote:
>   
> > Hi,
> >
> > hmm, let me guess - you are running saslauthd with -a PAM?!
> >
> > try running it     /usr/sbin/saslauthd -a ldap
> > no need (with a more or less up-to-date version of saslauthd) to do it
> > via PAM - use LDAP directly. Less layers less potential problems.
> >
> > What log entry and result do you get by executing:
> >    ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D
> > cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab
> >     
> Dear friend Roland,
> Thanks a lot for pointing out the problem.  with *disallow bind_anon* I
> can successfully log in by executing */usr/sbin/saslauthd -a ldap*
> Thanks a lot. But my saslauthd is configured to support both pam and
> ldap. it is required to access cyrus admin as it is based on pam.
> u can check my  /etc/pam.d/imap
> -----------------------------------------
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix.so
> ------------------------------------------------------------
>
> So based on this configuration both pam and ldap authentication is
> working except the *disallow bind_anon* in cyrus.
> but *disallow bind_anon* is working well with my present config with
> ldapsearch. So I have to fix this cyrus issue here.
> could u suggest any alternative please ?
> thanks and have a great day.
>   
> > Best regards
> > Roland
> >
> > JOYDEEP wrote:
> >     
> > > Roland Felnhofer wrote:
> > >  
> > >       
> > > > Hi,
> > > >
> > > > that should give you a hint:
> > > >
> > > >
> > > >        saslauthd.conf
> > > >
> > > > ldap_servers: ldap://127.0.0.1
> > > > ldap_search_base: ou=people,dc=example,dc=com
> > > > ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
> > > > ldap_password: password
> > > > ldap_scope: one
> > > > ldap_uidattr: uid
> > > > ldap_filter_mode:  yes
> > > > ldap_filter: uid=%u
> > > >
> > > > The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn,
> > > > ldap_password) should be sufficient.
> > > >
> > > >     
> > > >         
> > > Dear Roland, thanks for your response.
> > > I already have the following entries in my saslauthd.conf
> > > ---------------------------------------------------------------------
> > > ldap_servers: ldap://localhost:389
> > > ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in
> > > ldap_bind_pw: secret
> > > ldap_search_base:  ou=Users,dc=kolkatainfoservices,dc=in
> > > ldap_version: 3
> > > ldap_filter: uid=%U
> > > ldap_default_domain: kolkatainfoservices.in
> > > --------------------------------------------------------------------------
> > >
> > >
> > > But having problem with  *disallow bind_anon*. I have also checked the
> > > settings u hv suggested
> > > like  ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode:  yes. but
> > > no success yet.
> > >
> > > executing cyradm with valid user (in LDAP) and password reports
> > > ----------------------------------------------------
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from
> > > IP=127.0.0.1:34512 (IP=0.0.0.0:389)
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn="" method=128
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0
> > > text=
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH
> > > base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0
> > > filter="(uid=aftab)"
> > > Mar 20 14:52:06 linux slapd[20480]: <= bdb_equality_candidates: (uid)
> > > index_param failed (18)
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101
> > > err=0 nentries=1 text=
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND
> > > dn="uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" method=128
> > > Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind
> > > as user "uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in" (Invalid
> > > credentials)
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49
> > > text=
> > > Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn="" method=128
> > > Mar 20 14:52:06 linux saslauthd[19448]: do_auth         : auth failure:
> > > [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
> > > Mar 20 14:52:06 linux imap[20519]: badlogin:
> > > linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13):
> > > authentication failure: checkpass failed
> > > ------------------------------------------------------------------------------
> > >
> > >
> > > could u kindly help me to fix the problem as my system has a security
> > > risk untill I stop the anynomous  user login.
> > > thanks
> > >
> > >  
> > >       
> > > > Best regards
> > > > Roland
> > > >
> > > >
> > > > JOYDEEP wrote:
> > > >    
> > > >         
> > > > > Dear list,
> > > > >
> > > > > to secure my ldap server I have added the line "disallow bind_anon" in
> > > > > slapd.conf.
> > > > > I have checked by "ldapsearch" command and now my ldap doesn't allow
> > > > > anonymous bind.
> > > > > But I have now problem to use cyrus as it also based on LDAP
> > > > > authentication.
> > > > > I can't log in in cyrus with Correct userid and passwd but if I
> > > > > disable
> > > > > the "disallow bind_anon"   I can again use cyrus.
> > > > >
> > > > > Could any one kindly sugeest me to  fix it ?
> > > > >
> > > > > here is my /etc/imapd.conf
> > > > >
> > > > > ==============================================================
> > > > > configdirectory: /var/lib/imap
> > > > > partition-default: /var/spool/imap
> > > > > sievedir: /var/lib/sieve
> > > > > admins: cyrus
> > > > > allowplaintext: yes
> > > > > sasl_mech_list: LOGIN PLAIN
> > > > > allowanonymouslogin: no
> > > > > autocreatequota: 10000
> > > > > reject8bit: no
> > > > > quotawarn: 90
> > > > > timeout: 30
> > > > > poptimeout: 10
> > > > > dracinterval: 0
> > > > > drachost: localhost
> > > > > sasl_pwcheck_method: saslauthd
> > > > > servername:linux.kolkatainfoservices.in
> > > > > lmtp_overquota_perm_failure: no
> > > > > lmtp_downcase_rcpt: yes
> > > > > unixhierarchysep:  yes
> > > > > loginrealms:   kolkatainfoservices.in
> > > > > hashimapspool: true
> > > > > lmtpsocket:  /var/lib/imap/socket/lmtp
> > > > > ==============================
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ----
> > > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> > > > > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> > > > > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> > > > >         
> > > > >           
> > >   
> > >       
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html