Victor via FreeIPA-users wrote: > Hello, > > Everything is set up on the same machine as described here: > https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 > > I'm trying to check whether a user belongs to a group or not: > > (0) if (LDAP-Group == "someusers") { > (0) Searching for user in group "someusers" > rlm_ldap (ldap): Reserved connection (6) > (0) Using user DN from request > "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" > (0) Checking for user in group objects > (0) EXPAND > (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) > (0) --> > (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) > (0) Performing search in > "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter > "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", > scope "sub" > (0) Waiting for search result... > (0) Search returned no results > (0) Checking user object's memberOf attributes > (0) Performing unfiltered search in > "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" > (0) Waiting for search result... > (0) No group membership attribute(s) found in user object > rlm_ldap (ldap): Released connection (6) > > but > > ldapsearch -b "dc=domain,dc=local" > "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" > -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=domain,dc=local> with scope subtree > # filter: > (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) > # requesting: ALL > # > > # someusers, groups, accounts, domain.local > dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local > objectClass: top > objectClass: groupofnames > objectClass: nestedgroup > objectClass: ipausergroup > objectClass: ipaobject > description: Default group for all users > cn: someusers > ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f > member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local > member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > and > > > ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D > uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # common_user, users, accounts, domain.local > dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local > displayName: utilisateur banal > uid: common_user > krbCanonicalName: common_user@DOMAIN.LOCAL > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipauserauthtypeclass > loginShell: /bin/bash > initials: ub > gecos: utilisateur banal > sn: banal > homeDirectory: /home/common_user > mail: common_user@domain.local > krbPrincipalName: common_user@DOMAIN.LOCAL > givenName: utilisateur > cn: utilisateur banal > ipaUniqueID: some_unique_ID > uidNumber: theSameNumber > gidNumber: theSameNumber > krbPasswordExpiration: the_pass_exp > krbLastPwdChange: the_pass_exp > memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local > memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local > ipaUserAuthType: o_type > ipaSshPubKey: some_pubkey > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Some of the configuration: > > /etc/raddb/sites-enabled/default > ... > user { > base_dn = "${..base_dn}" > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" > sasl { > } > } > group { > base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' > scope = 'sub' > membership_filter = > "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" > membership_attribute = 'memberOf' > } > > /etc/raddb/mods-enabled/ldap > ... > post-auth { > update { > &reply: += &session-state: > } > -sql > exec > remove_reply_message_if_eap > Post-Auth-Type REJECT { > -sql > attr_filter.access_reject > > eap > > remove_reply_message_if_eap > } > Post-Auth-Type Challenge { > } > if (LDAP-Group == "someusers") { > update { > reply:Class := "OKOKOKOKOK" > } > } > else { > update { > reply:Class := "NONONONONO" > } > } > } > > Where to go from here?
So looking at the log you provided: (0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail. I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same. I know literally zero about radius so take this with a grain of salt. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
