Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit
differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request
fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND
dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3
[06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0
etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local"
[06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH
base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2
filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))"
attrs=ALL
[06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101
nentries=0 etime=0.000957345 <=FAIL
[06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND
dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3
[06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0
etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local"
[06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH
base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2
filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))"
attrs=ALL
[06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101
nentries=1 etime=0.001385435 <=SUCCEED
[06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result:
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree
# filter:
(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))
# requesting: ALL
#
# ipausers, groups, accounts, domain.local
dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce
member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here:
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
I'm trying to check whether a user belongs to a group or not:
(0)ÃÂ ÃÂ if (LDAP-Group == "someusers") {
(0)ÃÂ ÃÂ Searching for user in group "someusers"
rlm_ldap (ldap): Reserved connection (6)
(0)ÃÂ ÃÂ Using user DN from request
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"
(0)ÃÂ ÃÂ Checking for user in group objects
(0)ÃÂ ÃÂ ÃÂ EXPAND
(&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0)ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ -->
(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0)ÃÂ ÃÂ ÃÂ Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with
filter
"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))",
scope "sub"
(0)ÃÂ ÃÂ ÃÂ Waiting for search result...
(0)ÃÂ ÃÂ ÃÂ Search returned no results
(0)ÃÂ ÃÂ Checking user object's memberOf attributes
(0)ÃÂ ÃÂ ÃÂ Performing unfiltered search in
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base"
(0)ÃÂ ÃÂ ÃÂ Waiting for search result...
(0)ÃÂ ÃÂ No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (6)
but
ldapsearchÃÂ -b "dc=domain,dc=local"
"(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))"
-D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=local> with scope subtree
# filter:
(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))
# requesting: ALL
#
# someusers, groups, accounts, domain.local
dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: someusers
ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f
member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
and
ldapsearchÃÂ -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"ÃÂ
-D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#
# common_user, users, accounts, domain.local
dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
displayName: utilisateur banal
uid: common_user
krbCanonicalName: common_user@DOMAIN.LOCAL
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipauserauthtypeclass
loginShell: /bin/bash
initials: ub
gecos: utilisateur banal
sn: banal
homeDirectory: /home/common_user
mail: common_user@domain.local
krbPrincipalName: common_user@DOMAIN.LOCAL
givenName: utilisateur
cn: utilisateur banal
ipaUniqueID: some_unique_ID
uidNumber: theSameNumber
gidNumber: theSameNumber
krbPasswordExpiration: the_pass_exp
krbLastPwdChange: the_pass_exp
memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local
ipaUserAuthType: o_type
ipaSshPubKey: some_pubkey
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default
...
user {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ base_dn = "${..base_dn}"
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ filter =
"(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ sasl {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ group {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ base_dn =
'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local'
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ scope = 'sub'
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ membership_filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ membership_attribute = 'memberOf'
ÃÂ ÃÂ ÃÂ }
/etc/raddb/mods-enabled/ldap
...
post-auth {
ÃÂ ÃÂ ÃÂ update {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ &reply: += &session-state:
ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ -sql
ÃÂ ÃÂ ÃÂ exec
ÃÂ ÃÂ ÃÂ remove_reply_message_if_eap
ÃÂ ÃÂ ÃÂ Post-Auth-Type REJECT {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ -sql
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ attr_filter.access_reject
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ eap
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ remove_reply_message_if_eap
ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ Post-Auth-Type Challenge {
ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ if (LDAP-Group == "someusers") {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ updateÃÂ {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ reply:Class := "OKOKOKOKOK"
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ else {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ updateÃÂ {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ reply:Class := "NONONONONO"
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
ÃÂ ÃÂ ÃÂ }
}
Where to go from here?
So looking at the log you provided:
(0)ÃÂ ÃÂ ÃÂ Performing search in
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter
"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))",
scope "sub"
I can't make heads or tails of that filter, but it requires that
cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to
identify/authenticate users to see what the logged filters look like to
see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org