Re: problem in Authentication.
On Wed, May 16, 2007 at 11:56:19AM +0400, Rajeev R Veedu wrote: The system was up about 1 year and I never faced this problem. Also I haven't changed any settings in the configuration. Since yesterday I am getting this RANDOM authentication failure and would appreciate if you could help me, try to clean saslauthd cache with saslcache and restart saslauthd. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem in Authentication.
On Wed, May 16, 2007 at 02:53:49PM +0400, Rajeev R Veedu wrote:
I can not locate saslcache. Can you tell me where it could be (Iam running
Cyrus on Centos4)
hm..
can't see on CentOS4 too.
But on FreeBSD:
$ pkg_info -Lx saslauthd | grep cache
/usr/local/sbin/saslcache
I'm looking my port Makefile:
do-build:
...
cd ${WRKSRC}/saslauthd ${MAKE} saslcache
...
I think you must properly configure your spec-file and rebuild sasl's
rpm's.
WBR.
Dmitriy
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: problem in Authentication.
I can not locate saslcache. Can you tell me where it could be (Iam running Cyrus on Centos4) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitriy Kirhlarov Sent: Wednesday, May 16, 2007 2:06 PM To: info-cyrus@lists.andrew.cmu.edu Subject: Re: problem in Authentication. On Wed, May 16, 2007 at 11:56:19AM +0400, Rajeev R Veedu wrote: The system was up about 1 year and I never faced this problem. Also I haven't changed any settings in the configuration. Since yesterday I am getting this RANDOM authentication failure and would appreciate if you could help me, try to clean saslauthd cache with saslcache and restart saslauthd. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with authentication
Following my earlier mail, I have forgot to mention the /etc/pamd/imap consists of the following lines: #%PAM-1.0 authsufficient pam_ldap.so authrequiredpam_unix.so authsufficient pam_ldap.so account requiredpam_unix.so And cyrus is running on SuSE Linux 9.0. Many thanks Sujit Sujit Choudhury wrote: We are running cyrus imapd which authenticates it's users against an ldap server. We are getting the problem if a user types the password wrong, it continues to try to authenticate and after 6 retries, ldap server locks out the account as intrusion detection is in place. The /etc/imapd.conf contains the following: configdirectory: /var/imap partition-default: /var/imap/spool admins: john sasl_pwcheck_method: saslauthd sasl_mech_list: plain altnamespace: yes unixhierarchysep: yes tls_cert_file: /var/imap/cyrus.pem tls_key_file: /var/imap/cyrus.pem virtdomains: userid defaultdomain: foobar.co.uk sendmail: /usr/sbin/sendmail # popminpoll: 2 Is there anything we should do to make sure that only one attempt is made and it does not attempt for indefinite period. ldap.conf is as follows: baseo=foobar uri ldap://ldap.foobar.co.uk tls never sasl_secprops none ldap_version3 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never Would be grateful for some ideas. Many thanks Sujit Choudhury --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with authentication
On Thu, 28 Jul 2005, Sujit Choudhury wrote: Following my earlier mail, I have forgot to mention the /etc/pamd/imap consists of the following lines: #%PAM-1.0 authsufficient pam_ldap.so authrequiredpam_unix.so authsufficient pam_ldap.so account requiredpam_unix.so Is the above config correct? You have pam_ldap.so listed twice under the 'auth' setting. I assume that 2nd pam_ldap.so should be under 'account'. Andy --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with authentication
Yes you are right, but I inherited it. I tried it with authsufficient pam_ldap.so use_first_pass to no avail. It still locks me in when trying to open an IMAP session with outlook with a wrong password. I am lost. Sujit Andrew Morgan wrote: On Thu, 28 Jul 2005, Sujit Choudhury wrote: Following my earlier mail, I have forgot to mention the /etc/pamd/imap consists of the following lines: #%PAM-1.0 authsufficient pam_ldap.so authrequiredpam_unix.so authsufficient pam_ldap.so account requiredpam_unix.so Is the above config correct? You have pam_ldap.so listed twice under the 'auth' setting. I assume that 2nd pam_ldap.so should be under 'account'. Andy --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem with authentication using Cyrus IMAP 2.2.6 and SASL 2.1.19 on FreeBSD RELENG_5_2. User isn't found/can't authenticate
On 07/26/04 10:08 PM, Anton Jackson-Smith sat at the `puter and typed:
Hey everyone,
I'm having some problems with authentication running Cyrus IMAP 2.2.6
and SASL 2.1.19 on FreeBSD updated to RELENG_5_2 base system and the
latest ports.
I'm running exactly the same combination of cyrus and FreeBSD
versions. I also had the same authentication problem. Here's what I
finally found (after a weeks googling, doc reading, etc). Don't use a
saslpasswd. Use your regular Unix login password. Saslauthd installs
from the FreeBSD ports with pam as the default mechanism. I kept
resetting the password for my id at a million different possible
realms, and it never worked unless I skipped CRAM-MD5 authentication.
Fially, I realized that there's a line in the
/usr/local/etc/rc.d/saslauthd.sh script that specifies -a pam as the
args. If you want to change this, you'll need to verify the correct
mechanism for your needs and set the variable saslauthd_flags in
/etc/rc.conf - which will override the rc.d startup.
Basically, when attempting to login using imtest there's always a second
or two delay, followed by S: L01 NO Login failed: authentication
failure. I'm using imtest with the following command: imtest -m login
-a test localhost.
I got the same thing.
BTW, I also had problems with delivery - I'm using procmail, running
as the recipient to call deliver. I solved this by setting the suid
bit on deliver. Just in case.
HTH
Lou
Using the SASL sample client/server, I can authenticate fine using the
user 'test' with any of the offered mechanisms.
CyrAdm also fails to login, giving the error Login failed:
authentication failure at
/usr/local/lib/perl5/site_perl/5.8.2/mach/Cyrus/IMAP/Admin.pm line 118
cyradm: cannot authenticate to server with LOGIN as admin
(Both the users test and admin exist and can be logged into with the
sample client/server).
I've tried recompiling both suites of software (IMAP and SASL) to use
different versions of Berkely DB to no avail. I also attempted to use
saslauthd using sasldb, but that also fails to authenticate the user,
logging the error message saslauthd[20054]: do_auth : auth
failure: [user=admin] [service=imap] [realm=] [mech=sasldb]
[reason=Unknown]
I was also getting this problem with older versions of IMAP and SASL I
was attempting to get working before I upgraded my ports tree.
Posted below is excepts from logs and config files that may be of some
use :).
Thanks very much, apologies if I left out some critical information ;)
Anton Jackson-Smith (Landrocker)
=== Typical imtest login attempt ===
[21:48:26] [EMAIL PROTECTED]: /usr/ports/mail/cyrus-imapd22/work# imtest -m
login -a test localhost
S: * OK mail.dyingstar.net Cyrus IMAP4 v2.2.6 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=NTLM AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN test {4}
S: + go ahead
C: omitted
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
=
=== Typical Sample Client login attempt
[21:58:57] [EMAIL PROTECTED]:
/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.19/sample# ./client
-s saslauthd -m DIGEST-MD5 localhost
receiving capability list... recv: {57}
NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
send: {10}
DIGEST-MD5
send: {1}
N
recv: {124}
nonce=snip for
length,realm=aries.dyingstar.net,qop=auth,charset=utf-8,algorithm=md5-sess
please enter an authentication id: test
please enter an authorization id: test
Password:
send: {246}
username=test,realm=aries.dyingstar.net,nonce=snip for
length,nc=0001,qop=auth,digest-uri=saslauthd/localhost,response=a9dcefae5af239d91886f0eabf948f22
recv: {40}
rspauth=af70d484fa5b5718132e8489daa25850
send: {0}
successful authentication
closing connection
=
=== Log message generated from attempted imtest login ===
Jul 26 22:01:09 aries imap[32204]: badlogin: localhost [::1] plaintext
test SASL(-13): user not found: checkpass failed
=
=== Log message from imtest using saslauthd and imtest ===
saslauthd[20055]: do_auth : auth failure: [user=test]
[service=imap] [realm=] [mech=sasldb] [reason=Unknown]
=
=== imapd.conf (Comments stripped)===
configdirectory: /usr/local/cyrus/config
partition-default: /usr/local/cyrus/spool
unixhierarchysep: no
servername: mail.dyingstar.net
