[Freeipa-users] Re: rlm_ldap fails to extract user groups but ldapsearch succeeds

Thu, 06 Aug 2020 00:57:05 -0700 

On to, 06 elo 2020, Victor via FreeIPA-users wrote:

Hello Rob,

The problem is the logs indicate the exact same search request (only timeLimit 
differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request 
fail and succeed for ldapsearch:

[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND 
dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3
[06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 
etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local"
[06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH 
base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 
filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))"
 attrs=ALL
[06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 
nentries=0 etime=0.000957345 <=FAIL
[06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND



Could you please show the full output for the conn=719?
What it was using to bind to LDAP?

If it is an anonymous connection, it is clearly cannot see member
attribute as default ACIs prevent doing so for anonymous connections.
You need to always be authenticated on the connection that attempts to
look up member / memberof attributes.



[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND 
dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3
[06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 
etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local"
[06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH 
base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 
filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))"
 attrs=ALL
[06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.001385435 <=SUCCEED
[06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND

The Result:
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree
# filter: 
(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))
# requesting: ALL
#

# ipausers, groups, accounts, domain.local
dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce
member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Victor



On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:





Victor via FreeIPA-users wrote:

Hello,

Everything is set up on the same machine as described here:
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7

I'm trying to check whether a user belongs to a group or not:

(0)    if (LDAP-Group == "someusers") {
(0)    Searching for user in group "someusers"
rlm_ldap (ldap): Reserved connection (6)
(0)    Using user DN from request 
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"
(0)    Checking for user in group objects
(0)      EXPAND 
(&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0)          --> 
(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0)      Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter 
"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))",
 scope "sub"
(0)      Waiting for search result...
(0)      Search returned no results
(0)    Checking user object's memberOf attributes
(0)      Performing unfiltered search in 
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base"
(0)      Waiting for search result...
(0)    No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (6)

but

ldapsearch  -b "dc=domain,dc=local" 
"(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))"
 -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=local> with scope subtree
# filter: 
(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))
# requesting: ALL
#

# someusers, groups, accounts, domain.local
dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: someusers
ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f
member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

and


ldapsearch  -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"  -D 
uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope 
subtree
# filter: (objectclass=*)
# requesting: ALL
#

# common_user, users, accounts, domain.local
dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
displayName: utilisateur banal
uid: common_user
krbCanonicalName: common_user@DOMAIN.LOCAL
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipauserauthtypeclass
loginShell: /bin/bash
initials: ub
gecos: utilisateur banal
sn: banal
homeDirectory: /home/common_user
mail: common_user@domain.local
krbPrincipalName: common_user@DOMAIN.LOCAL
givenName: utilisateur
cn: utilisateur banal
ipaUniqueID: some_unique_ID
uidNumber: theSameNumber
gidNumber: theSameNumber
krbPasswordExpiration: the_pass_exp
krbLastPwdChange: the_pass_exp
memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local
ipaUserAuthType: o_type
ipaSshPubKey: some_pubkey

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Some of the configuration:

/etc/raddb/sites-enabled/default
...
user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }
    group {
        base_dn = 
'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local'
        scope = 'sub'
        membership_filter = 
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"
        membership_attribute = 'memberOf'
    }

/etc/raddb/mods-enabled/ldap
...
post-auth {
    update {
        &reply: += &session-state:
    }
    -sql
    exec
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject

        eap

        remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge {
    }
    if (LDAP-Group == "someusers") {
            update  {
                    reply:Class := "OKOKOKOKOK"
        }
    }
    else {
            update  {
                    reply:Class := "NONONONONO"
          }
    }
}

Where to go from here?


So looking at the log you provided:

(0)      Performing search in
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter
"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))",
scope "sub"

I can't make heads or tails of that filter, but it requires that
cn=someusers and that will never be true so it will always fail.

I would closely examine the 389-ds access logs after trying to
identify/authenticate users to see what the logged filters look like to
see if they are the same.

I know literally zero about radius so take this with a grain of salt.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to