Hey Igor, Running ldapsearch when the server is printing the AUTHFAILS returns what you would expect, the single user account entry for the user. Based on the fact that restarting the ldap server seems to help, one would think that its an ldap server problem. But I just done see how that can be since Ive run 3 different versions of openldap, on two different servers, and the ldap server load never goes above 0.10.
Any other ideas? Thanks, Lee -----Original Message----- From: Igor Brezac [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 6:39 PM To: Lee Hoffman Cc: [EMAIL PROTECTED] Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL On Fri, 20 Sep 2002, Lee Hoffman wrote: > I've been pulling my hair out with this for nearly 4 days now. I have > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows: > > SASL: > ./configure --enable-plain --disable-krb4 > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib > > IMAP: > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no > > Basically I CYRUS->SASLAUTHD->LDAP > > For some reason users intermittently will be prompted for their password > over and over. The sasl debug log show the following lines when that > happens: > > Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more than > one entries found (uid=superman). > Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman > service=imap realm= > > (ldap logs show nothing) > > The user always exists in the ldap directory. In fact 75% of the time > they can login and use mail without problems. It seems like when I > restart the ldap directory the AUTHFAILS stop happening for a while. I > have the ldap directory restarting ldap every 5 minutes now, which seems > to be keeping the AUTHFAILS to a minimum (but they are still happening). > > > I immediately figured it was an LDAP problem. However, I've now tried > openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried each > of these three versions on two different servers (one with redhat, one > with debian). Both servers were completely different hardware. I also > tried different versions of the ldap client library (and of course > recompiled cyrus and sasl after trying each) on the cyrus server. > Nothing stops these intermittent AUTHFAILS. > > Does anyone have any idea whats going on? I'm desperate. Any ideas would > be appreciated. > Are there any other saslauthd lines in the syslog? What happens when you run ldapsearch -x -b ou=users,dc=location,dc=com -D cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman on the command line after you start getting AUTHFAIL messages? How many entries, if any, are returned? Your configuration looks good. > > > SASLAUTHD.CONF: > > ldap_servers: ldaps://server1.com # (tried ldap and ldaps here) > ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com > ldap_bind_pw: password > ldap_auth_method: bind > ldap_search_base: ou=users,dc=location,dc=com > ldap_debug: 5000 > ldap_timeout: 15 # tried multiple values here too > ldap_time_limit: 15 # tried multiple values here too > > > IMAPD.CONF > > configdirectory: /export/cyrus/imap > partition-default: /export/cyrus/spool/imap > admins: admin > #sasl_pwcheck_method: pam > > tls_cert_file: /export/cyrus/server.pem > tls_key_file: /export/cyrus/server.pem > > allowanonymouslogin: no > allowplaintext: yes > sasl_mech_list: PLAIN > servername: localhost > autocreatequota: 10000 > reject8bit: no > quotawarn: 90 > timeout: 30 > poptimeout: 10 > dracinterval: 0 > drachost: localhost > sasl_pwcheck_method: saslauthd > #sievedir: /usr/sieve > #sendmail: /usr/sbin/sendmail > #sieve_maxscriptsize: 32 > #sieve_maxscripts: 5 > > # Get rid of folders as subfolders of INBOX > altnamespace: yes > unixhierarchysep: yes > > > -- Igor
