Re: problem in Authentication.
On Wed, May 16, 2007 at 11:56:19AM +0400, Rajeev R Veedu wrote: The system was up about 1 year and I never faced this problem. Also I haven't changed any settings in the configuration. Since yesterday I am getting this RANDOM authentication failure and would appreciate if you could help me, try to clean saslauthd cache with saslcache and restart saslauthd. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem in Authentication.
On Wed, May 16, 2007 at 02:53:49PM +0400, Rajeev R Veedu wrote: I can not locate saslcache. Can you tell me where it could be (Iam running Cyrus on Centos4) hm.. can't see on CentOS4 too. But on FreeBSD: $ pkg_info -Lx saslauthd | grep cache /usr/local/sbin/saslcache I'm looking my port Makefile: do-build: ... cd ${WRKSRC}/saslauthd ${MAKE} saslcache ... I think you must properly configure your spec-file and rebuild sasl's rpm's. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: problem in Authentication.
I can not locate saslcache. Can you tell me where it could be (Iam running Cyrus on Centos4) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitriy Kirhlarov Sent: Wednesday, May 16, 2007 2:06 PM To: info-cyrus@lists.andrew.cmu.edu Subject: Re: problem in Authentication. On Wed, May 16, 2007 at 11:56:19AM +0400, Rajeev R Veedu wrote: The system was up about 1 year and I never faced this problem. Also I haven't changed any settings in the configuration. Since yesterday I am getting this RANDOM authentication failure and would appreciate if you could help me, try to clean saslauthd cache with saslcache and restart saslauthd. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with authentication
Following my earlier mail, I have forgot to mention the /etc/pamd/imap consists of the following lines: #%PAM-1.0 authsufficient pam_ldap.so authrequiredpam_unix.so authsufficient pam_ldap.so account requiredpam_unix.so And cyrus is running on SuSE Linux 9.0. Many thanks Sujit Sujit Choudhury wrote: We are running cyrus imapd which authenticates it's users against an ldap server. We are getting the problem if a user types the password wrong, it continues to try to authenticate and after 6 retries, ldap server locks out the account as intrusion detection is in place. The /etc/imapd.conf contains the following: configdirectory: /var/imap partition-default: /var/imap/spool admins: john sasl_pwcheck_method: saslauthd sasl_mech_list: plain altnamespace: yes unixhierarchysep: yes tls_cert_file: /var/imap/cyrus.pem tls_key_file: /var/imap/cyrus.pem virtdomains: userid defaultdomain: foobar.co.uk sendmail: /usr/sbin/sendmail # popminpoll: 2 Is there anything we should do to make sure that only one attempt is made and it does not attempt for indefinite period. ldap.conf is as follows: baseo=foobar uri ldap://ldap.foobar.co.uk tls never sasl_secprops none ldap_version3 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never Would be grateful for some ideas. Many thanks Sujit Choudhury --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with authentication
On Thu, 28 Jul 2005, Sujit Choudhury wrote: Following my earlier mail, I have forgot to mention the /etc/pamd/imap consists of the following lines: #%PAM-1.0 authsufficient pam_ldap.so authrequiredpam_unix.so authsufficient pam_ldap.so account requiredpam_unix.so Is the above config correct? You have pam_ldap.so listed twice under the 'auth' setting. I assume that 2nd pam_ldap.so should be under 'account'. Andy --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with authentication
Yes you are right, but I inherited it. I tried it with authsufficient pam_ldap.so use_first_pass to no avail. It still locks me in when trying to open an IMAP session with outlook with a wrong password. I am lost. Sujit Andrew Morgan wrote: On Thu, 28 Jul 2005, Sujit Choudhury wrote: Following my earlier mail, I have forgot to mention the /etc/pamd/imap consists of the following lines: #%PAM-1.0 authsufficient pam_ldap.so authrequiredpam_unix.so authsufficient pam_ldap.so account requiredpam_unix.so Is the above config correct? You have pam_ldap.so listed twice under the 'auth' setting. I assume that 2nd pam_ldap.so should be under 'account'. Andy --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem with authentication using Cyrus IMAP 2.2.6 and SASL 2.1.19 on FreeBSD RELENG_5_2. User isn't found/can't authenticate
On 07/26/04 10:08 PM, Anton Jackson-Smith sat at the `puter and typed: Hey everyone, I'm having some problems with authentication running Cyrus IMAP 2.2.6 and SASL 2.1.19 on FreeBSD updated to RELENG_5_2 base system and the latest ports. I'm running exactly the same combination of cyrus and FreeBSD versions. I also had the same authentication problem. Here's what I finally found (after a weeks googling, doc reading, etc). Don't use a saslpasswd. Use your regular Unix login password. Saslauthd installs from the FreeBSD ports with pam as the default mechanism. I kept resetting the password for my id at a million different possible realms, and it never worked unless I skipped CRAM-MD5 authentication. Fially, I realized that there's a line in the /usr/local/etc/rc.d/saslauthd.sh script that specifies -a pam as the args. If you want to change this, you'll need to verify the correct mechanism for your needs and set the variable saslauthd_flags in /etc/rc.conf - which will override the rc.d startup. Basically, when attempting to login using imtest there's always a second or two delay, followed by S: L01 NO Login failed: authentication failure. I'm using imtest with the following command: imtest -m login -a test localhost. I got the same thing. BTW, I also had problems with delivery - I'm using procmail, running as the recipient to call deliver. I solved this by setting the suid bit on deliver. Just in case. HTH Lou Using the SASL sample client/server, I can authenticate fine using the user 'test' with any of the offered mechanisms. CyrAdm also fails to login, giving the error Login failed: authentication failure at /usr/local/lib/perl5/site_perl/5.8.2/mach/Cyrus/IMAP/Admin.pm line 118 cyradm: cannot authenticate to server with LOGIN as admin (Both the users test and admin exist and can be logged into with the sample client/server). I've tried recompiling both suites of software (IMAP and SASL) to use different versions of Berkely DB to no avail. I also attempted to use saslauthd using sasldb, but that also fails to authenticate the user, logging the error message saslauthd[20054]: do_auth : auth failure: [user=admin] [service=imap] [realm=] [mech=sasldb] [reason=Unknown] I was also getting this problem with older versions of IMAP and SASL I was attempting to get working before I upgraded my ports tree. Posted below is excepts from logs and config files that may be of some use :). Thanks very much, apologies if I left out some critical information ;) Anton Jackson-Smith (Landrocker) === Typical imtest login attempt === [21:48:26] [EMAIL PROTECTED]: /usr/ports/mail/cyrus-imapd22/work# imtest -m login -a test localhost S: * OK mail.dyingstar.net Cyrus IMAP4 v2.2.6 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=NTLM AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED S: C01 OK Completed Please enter your password: C: L01 LOGIN test {4} S: + go ahead C: omitted S: L01 NO Login failed: authentication failure Authentication failed. generic failure Security strength factor: 0 . logout * BYE LOGOUT received . OK Completed Connection closed. = === Typical Sample Client login attempt [21:58:57] [EMAIL PROTECTED]: /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.19/sample# ./client -s saslauthd -m DIGEST-MD5 localhost receiving capability list... recv: {57} NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5 NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5 send: {10} DIGEST-MD5 send: {1} N recv: {124} nonce=snip for length,realm=aries.dyingstar.net,qop=auth,charset=utf-8,algorithm=md5-sess please enter an authentication id: test please enter an authorization id: test Password: send: {246} username=test,realm=aries.dyingstar.net,nonce=snip for length,nc=0001,qop=auth,digest-uri=saslauthd/localhost,response=a9dcefae5af239d91886f0eabf948f22 recv: {40} rspauth=af70d484fa5b5718132e8489daa25850 send: {0} successful authentication closing connection = === Log message generated from attempted imtest login === Jul 26 22:01:09 aries imap[32204]: badlogin: localhost [::1] plaintext test SASL(-13): user not found: checkpass failed = === Log message from imtest using saslauthd and imtest === saslauthd[20055]: do_auth : auth failure: [user=test] [service=imap] [realm=] [mech=sasldb] [reason=Unknown] = === imapd.conf (Comments stripped)=== configdirectory: /usr/local/cyrus/config partition-default: /usr/local/cyrus/spool unixhierarchysep: no servername: mail.dyingstar.net