Hello Benjamin,
what you can do is to capture the ldap traffic between PacketFence and
the ldap source and see with wireshark if the scope/base dn is what you
set in the authentication source.
In the code it does a search for the dn of the user and try to bind with
this dn.
So if the user is not in or under the basedn then the search should not
return anything and the authentication should fail.
So take the capture and see what happen exactly.
Regards
Fabrice
Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :
Hi Nicolas,
Our authentication rules under the LDAP sources do not check LDAP attributes,
as expected/assumed functionality of the LDAP Source would be to restrict
authorization to the specified Base DN. Is this expectation/assumption
incorrect?
Thank you,
Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com
-----Original Message-----
From: Nicolas Quiniou-Briand <[email protected]>
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin <[email protected]>;
[email protected]
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope
are not followed.
CAUTION: This email originated from outside of BAYADA. Beware of links and
attachments.
Hello Benjamin,
On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:
Hi Nicolas,
I did as requested. It looks like the authentication comes back with no
matches, yet still authenticates the user. Attached is the part of the log that
relates to authentication of the user.
I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.
Did you have rules on your LDAP sources that check the SSID value in place of
an LDAP attribute ?
--
Nicolas Quiniou-Briand
[email protected] :: +1.514.447.4918 *140 ::
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Finverse.ca
Inverse inc. :: Leaders behind SOGo
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Fsogo.nu),
PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=https%3A%2F%2Fpacketfence.org)
and Fingerbank
(https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http%3A%2F%2Ffingerbank.org)
----------------------------------------------------------------------------
Links contained in this email have been replaced by ZixProtect Link Protection.
If you click on a link in the email above, the link will be analyzed for known
threats. If a known threat is found, you will not be able to proceed to the
destination. If suspicious content is detected, you will see a warning.
----------------------------------------------------------------------------
Our employees' reviews made us a Best Place to
Work<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS&employerId=153924&contentOriginHook=PAGE_SRCH_COMPANIES>
in 2018 &2019!
Spread the word and earn a bonus by referring a
friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature&utm_medium=email&utm_campaign=Glassdoor%20Award>
[Compassion, Excellence, Reliability]<http://bhhc.co/BAYemail_site>
[Facebook]<http://bhhc.co/BAYemail_fb> [Twitter] <http://bhhc.co/BAYemail_tw> [LinkedIn]
<http://bhhc.co/BAYemail_LI> [YouTube] <http://bhhc.co/BAYemail_yt> [Bayada]
<http://bhhc.co/BAYemail_site>
CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA
and is protected by law. Do not forward, copy, or otherwise disclose to anyone
unless permitted by BAYADA or required by law. If you are not the intended
recipient, please notify the sender immediately.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
