Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 <=FAIL [06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001385435 <=SUCCEED [06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result: # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) # requesting: ALL #
# ipausers, groups, accounts, domain.local dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: ipausers ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0) if (LDAP-Group == "someusers") { (0) Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0) Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0) Checking for user in group objects (0) EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0) Waiting for search result... (0) Search returned no results (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0) Waiting for search result... (0) No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' scope = 'sub' membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" membership_attribute = 'memberOf' }
/etc/raddb/mods-enabled/ldap ... post-auth { update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject
eap
remove_reply_message_if_eap } Post-Auth-Type Challenge { } if (LDAP-Group == "someusers") { update { reply:Class := "OKOKOKOKOK" } } else { update { reply:Class := "NONONONONO" } } }
Where to go from here?
So looking at the log you provided:
(0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...