Igor, Thanks for all your help. As it turns out, my friend was able to solve the problem. I don't have the patch in front of me, but my friend did a little digging in the saslauthd code and found a bug in its LDAP caching mechanism. Since his change the problem has not reoccurred. My friend has assured me he will send the patch/bug to the list as soon as he cleans up his changes.
Sincerely, Lee -----Original Message----- From: Igor Brezac [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 11:57 AM To: Lee Hoffman Subject: RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL Lee, Can you apply the attached patch and recompile saslauthd? cd $cyrus-sasl-src/saslauthd patch -p0 < /tmp/saslauthd.patch make restart saslauthd and email me syslog entries after auth begins to fail. I added a few extra debug codes which should help me see what is going on. Thanks, -Igor On Fri, 20 Sep 2002, Lee Hoffman wrote: > Hey Igor, > Running ldapsearch when the server is printing the AUTHFAILS returns > what you would expect, the single user account entry for the user. Based > on the fact that restarting the ldap server seems to help, one would > think that its an ldap server problem. But I just done see how that can > be since Ive run 3 different versions of openldap, on two different > servers, and the ldap server load never goes above 0.10. > > Any other ideas? > > Thanks, > Lee > > -----Original Message----- > From: Igor Brezac [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 20, 2002 6:39 PM > To: Lee Hoffman > Cc: [EMAIL PROTECTED] > Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL > > > On Fri, 20 Sep 2002, Lee Hoffman wrote: > > > I've been pulling my hair out with this for nearly 4 days now. I have > > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows: > > > > SASL: > > ./configure --enable-plain --disable-krb4 > > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib > > > > IMAP: > > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix > > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no > > > > Basically I CYRUS->SASLAUTHD->LDAP > > > > For some reason users intermittently will be prompted for their > password > > over and over. The sasl debug log show the following lines when that > > happens: > > > > Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more > than > > one entries found (uid=superman). > > Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman > > service=imap realm= > > > > (ldap logs show nothing) > > > > The user always exists in the ldap directory. In fact 75% of the time > > they can login and use mail without problems. It seems like when I > > restart the ldap directory the AUTHFAILS stop happening for a while. I > > have the ldap directory restarting ldap every 5 minutes now, which > seems > > to be keeping the AUTHFAILS to a minimum (but they are still > happening). > > > > > > I immediately figured it was an LDAP problem. However, I've now tried > > openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried > each > > of these three versions on two different servers (one with redhat, one > > with debian). Both servers were completely different hardware. I also > > tried different versions of the ldap client library (and of course > > recompiled cyrus and sasl after trying each) on the cyrus server. > > Nothing stops these intermittent AUTHFAILS. > > > > Does anyone have any idea whats going on? I'm desperate. Any ideas > would > > be appreciated. > > > > > Are there any other saslauthd lines in the syslog? What happens when > you run > ldapsearch -x -b ou=users,dc=location,dc=com -D > cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman > on the command line after you start getting AUTHFAIL messages? > How many entries, if any, are returned? > > Your configuration looks good. > > > > > > > SASLAUTHD.CONF: > > > > ldap_servers: ldaps://server1.com # (tried ldap and ldaps here) > > ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com > > ldap_bind_pw: password > > ldap_auth_method: bind > > ldap_search_base: ou=users,dc=location,dc=com > > ldap_debug: 5000 > > ldap_timeout: 15 # tried multiple values here too > > ldap_time_limit: 15 # tried multiple values here too > > > > > > IMAPD.CONF > > > > configdirectory: /export/cyrus/imap > > partition-default: /export/cyrus/spool/imap > > admins: admin > > #sasl_pwcheck_method: pam > > > > tls_cert_file: /export/cyrus/server.pem > > tls_key_file: /export/cyrus/server.pem > > > > allowanonymouslogin: no > > allowplaintext: yes > > sasl_mech_list: PLAIN > > servername: localhost > > autocreatequota: 10000 > > reject8bit: no > > quotawarn: 90 > > timeout: 30 > > poptimeout: 10 > > dracinterval: 0 > > drachost: localhost > > sasl_pwcheck_method: saslauthd > > #sievedir: /usr/sieve > > #sendmail: /usr/sbin/sendmail > > #sieve_maxscriptsize: 32 > > #sieve_maxscripts: 5 > > > > # Get rid of folders as subfolders of INBOX > > altnamespace: yes > > unixhierarchysep: yes > > > > > > > > -- Igor
