Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0) if (LDAP-Group == "someusers") { (0) Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0) Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0) Checking for user in group objects (0) EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0) Waiting for search result... (0) Search returned no results (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0) Waiting for search result... (0) No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' scope = 'sub' membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" membership_attribute = 'memberOf' }
/etc/raddb/mods-enabled/ldap ... post-auth { update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject
eap
remove_reply_message_if_eap } Post-Auth-Type Challenge { } if (LDAP-Group == "someusers") { update { reply:Class := "OKOKOKOKOK" } } else { update { reply:Class := "NONONONONO" } } }
Where to go from here?
Kind regards
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0) if (LDAP-Group == "someusers") { (0) Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0) Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0) Checking for user in group objects (0) EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0) Waiting for search result... (0) Search returned no results (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0) Waiting for search result... (0) No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' scope = 'sub' membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" membership_attribute = 'memberOf' }
/etc/raddb/mods-enabled/ldap ... post-auth { update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject
eap
remove_reply_message_if_eap } Post-Auth-Type Challenge { } if (LDAP-Group == "someusers") { update { reply:Class := "OKOKOKOKOK" } } else { update { reply:Class := "NONONONONO" } } }
Where to go from here?
So looking at the log you provided:
(0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob
Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 <=FAIL [06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001385435 <=SUCCEED [06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result: # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) # requesting: ALL #
# ipausers, groups, accounts, domain.local dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: ipausers ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0) if (LDAP-Group == "someusers") { (0) Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0) Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0) Checking for user in group objects (0) EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0) Waiting for search result... (0) Search returned no results (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0) Waiting for search result... (0) No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' scope = 'sub' membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" membership_attribute = 'memberOf' }
/etc/raddb/mods-enabled/ldap ... post-auth { update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject
eap
remove_reply_message_if_eap } Post-Auth-Type Challenge { } if (LDAP-Group == "someusers") { update { reply:Class := "OKOKOKOKOK" } } else { update { reply:Class := "NONONONONO" } } }
Where to go from here?
So looking at the log you provided:
(0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 06 elo 2020, Victor via FreeIPA-users wrote:
Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 <=FAIL [06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
Could you please show the full output for the conn=719? What it was using to bind to LDAP?
If it is an anonymous connection, it is clearly cannot see member attribute as default ACIs prevent doing so for anonymous connections. You need to always be authenticated on the connection that attempts to look up member / memberof attributes.
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001385435 <=SUCCEED [06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result: # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) # requesting: ALL #
# ipausers, groups, accounts, domain.local dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: ipausers ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0)Â Â if (LDAP-Group == "someusers") { (0)Â Â Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0)Â Â Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0)Â Â Checking for user in group objects (0)Â Â Â EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0)Â Â Â Â Â --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0)Â Â Â Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0)Â Â Â Waiting for search result... (0)Â Â Â Search returned no results (0)Â Â Checking user object's memberOf attributes (0)Â Â Â Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0)Â Â Â Waiting for search result... (0)Â Â No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { Â Â Â Â Â Â base_dn = "${..base_dn}" Â Â Â Â Â Â filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" Â Â Â Â Â Â sasl { Â Â Â Â Â Â } Â Â Â } Â Â Â group { Â Â Â Â Â Â base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' Â Â Â Â Â Â scope = 'sub' Â Â Â Â Â Â membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" Â Â Â Â Â Â membership_attribute = 'memberOf' Â Â Â }
/etc/raddb/mods-enabled/ldap ... post-auth {    update {       &reply: += &session-state:    }    -sql    exec    remove_reply_message_if_eap    Post-Auth-Type REJECT {       -sql       attr_filter.access_reject
      eap
      remove_reply_message_if_eap    }    Post-Auth-Type Challenge {    }    if (LDAP-Group == "someusers") {        update {            reply:Class := "OKOKOKOKOK"       }    }    else {        update {            reply:Class := "NONONONONO"        }    } }
Where to go from here?
So looking at the log you provided:
(0)Â Â Â Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello Alexander,
[06/Aug/2020:08:58:31.135610842 +0200] conn=719 fd=104 slot=104 connection from X.X.X.X to Y.Y.Y.Y [06/Aug/2020:08:58:31.135957181 +0200] conn=719 op=0 BIND dn="" method=128 version=3 [06/Aug/2020:08:58:31.136093561 +0200] conn=719 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000442556 dn="" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 [06/Aug/2020:09:04:01.545769384 +0200] conn=719 op=-1 fd=104 closed - B1
So it seems the bind is done in an another connexion, not used for the group search?
[06/Aug/2020:08:58:31.132127271 +0200] conn=718 fd=93 slot=93 connection X.X.X.X to Y.Y.Y.Y [06/Aug/2020:08:58:31.132672386 +0200] conn=718 op=0 BIND dn="" method=128 version=3 [06/Aug/2020:08:58:31.132816249 +0200] conn=718 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000612608 dn="" [06/Aug/2020:08:58:31.133647534 +0200] conn=718 op=1 SRCH base="cn=accounts,dc=domain,dc=local" scope=2 filter="(uid=baseuser)" attrs="userPassword radiuscontrolattribute radiusrequestattribute radiusreplyattribute" [06/Aug/2020:08:58:31.134478148 +0200] conn=718 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001025845 [06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:04:01.545769134 +0200] conn=718 op=-1 fd=93 closed - B1
Victor
On Thursday, August 6, 2020, 07:56:34 AM UTC, Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 06 elo 2020, Victor via FreeIPA-users wrote:
Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 <=FAIL [06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
Could you please show the full output for the conn=719? What it was using to bind to LDAP?
If it is an anonymous connection, it is clearly cannot see member attribute as default ACIs prevent doing so for anonymous connections. You need to always be authenticated on the connection that attempts to look up member / memberof attributes.
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001385435 <=SUCCEED [06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result: # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) # requesting: ALL #
# ipausers, groups, accounts, domain.local dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: ipausers ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0)Â Â if (LDAP-Group == "someusers") { (0)Â Â Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0)Â Â Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0)Â Â Checking for user in group objects (0)Â Â Â EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0)Â Â Â Â Â --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0)Â Â Â Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0)Â Â Â Waiting for search result... (0)Â Â Â Search returned no results (0)Â Â Checking user object's memberOf attributes (0)Â Â Â Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0)Â Â Â Waiting for search result... (0)Â Â No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { Â Â Â Â Â Â base_dn = "${..base_dn}" Â Â Â Â Â Â filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" Â Â Â Â Â Â sasl { Â Â Â Â Â Â } Â Â Â } Â Â Â group { Â Â Â Â Â Â base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' Â Â Â Â Â Â scope = 'sub' Â Â Â Â Â Â membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" Â Â Â Â Â Â membership_attribute = 'memberOf' Â Â Â }
/etc/raddb/mods-enabled/ldap ... post-auth {    update {       &reply: += &session-state:    }    -sql    exec    remove_reply_message_if_eap    Post-Auth-Type REJECT {       -sql       attr_filter.access_reject
      eap
      remove_reply_message_if_eap    }    Post-Auth-Type Challenge {    }    if (LDAP-Group == "someusers") {        update {            reply:Class := "OKOKOKOKOK"       }    }    else {        update {            reply:Class := "NONONONONO"        }    } }
Where to go from here?
So looking at the log you provided:
(0)Â Â Â Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On to, 06 elo 2020, Victor via FreeIPA-users wrote:
Hello Alexander,
[06/Aug/2020:08:58:31.135610842 +0200] conn=719 fd=104 slot=104 connection from X.X.X.X to Y.Y.Y.Y [06/Aug/2020:08:58:31.135957181 +0200] conn=719 op=0 BIND dn="" method=128 version=3 [06/Aug/2020:08:58:31.136093561 +0200] conn=719 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000442556 dn="" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 [06/Aug/2020:09:04:01.545769384 +0200] conn=719 op=-1 fd=104 closed - B1
So it seems the bind is done in an another connexion, not used for the group search?
[06/Aug/2020:08:58:31.132127271 +0200] conn=718 fd=93 slot=93 connection X.X.X.X to Y.Y.Y.Y [06/Aug/2020:08:58:31.132672386 +0200] conn=718 op=0 BIND dn="" method=128 version=3 [06/Aug/2020:08:58:31.132816249 +0200] conn=718 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000612608 dn="" [06/Aug/2020:08:58:31.133647534 +0200] conn=718 op=1 SRCH base="cn=accounts,dc=domain,dc=local" scope=2 filter="(uid=baseuser)" attrs="userPassword radiuscontrolattribute radiusrequestattribute radiusreplyattribute" [06/Aug/2020:08:58:31.134478148 +0200] conn=718 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001025845 [06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:04:01.545769134 +0200] conn=718 op=-1 fd=93 closed - B1
Both connections are done initially anonymously, it seems. You need to change your rlm_ldap configuration to bind with some system account instead of using anonymous connection.
Victor
On Thursday, August 6, 2020, 07:56:34 AM UTC, Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 06 elo 2020, Victor via FreeIPA-users wrote:
Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 <=FAIL [06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
Could you please show the full output for the conn=719? What it was using to bind to LDAP?
If it is an anonymous connection, it is clearly cannot see member attribute as default ACIs prevent doing so for anonymous connections. You need to always be authenticated on the connection that attempts to look up member / memberof attributes.
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001385435 <=SUCCEED [06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result: # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) # requesting: ALL #
# ipausers, groups, accounts, domain.local dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: ipausers ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0)ÃÂ ÃÂ if (LDAP-Group == "someusers") { (0)ÃÂ ÃÂ Searching for user in group "someusers" rlm_ldap (ldap): Reserved connection (6) (0)ÃÂ ÃÂ Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" (0)ÃÂ ÃÂ Checking for user in group objects (0)ÃÂ ÃÂ ÃÂ EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0)ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) (0)ÃÂ ÃÂ ÃÂ Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" (0)ÃÂ ÃÂ ÃÂ Waiting for search result... (0)ÃÂ ÃÂ ÃÂ Search returned no results (0)ÃÂ ÃÂ Checking user object's memberOf attributes (0)ÃÂ ÃÂ ÃÂ Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" (0)ÃÂ ÃÂ ÃÂ Waiting for search result... (0)ÃÂ ÃÂ No group membership attribute(s) found in user object rlm_ldap (ldap): Released connection (6)
but
ldapsearchÃÂ -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) # requesting: ALL #
# someusers, groups, accounts, domain.local dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: someusers ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
and
ldapsearchÃÂ -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"ÃÂ -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# common_user, users, accounts, domain.local dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local displayName: utilisateur banal uid: common_user krbCanonicalName: common_user@DOMAIN.LOCAL objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass loginShell: /bin/bash initials: ub gecos: utilisateur banal sn: banal homeDirectory: /home/common_user mail: common_user@domain.local krbPrincipalName: common_user@DOMAIN.LOCAL givenName: utilisateur cn: utilisateur banal ipaUniqueID: some_unique_ID uidNumber: theSameNumber gidNumber: theSameNumber krbPasswordExpiration: the_pass_exp krbLastPwdChange: the_pass_exp memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local ipaUserAuthType: o_type ipaSshPubKey: some_pubkey
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default ... user { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ base_dn = "${..base_dn}" ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ sasl { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ group { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ scope = 'sub' ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ membership_attribute = 'memberOf' ÃÂ ÃÂ ÃÂ }
/etc/raddb/mods-enabled/ldap ... post-auth { ÃÂ ÃÂ ÃÂ update { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ &reply: += &session-state: ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ -sql ÃÂ ÃÂ ÃÂ exec ÃÂ ÃÂ ÃÂ remove_reply_message_if_eap ÃÂ ÃÂ ÃÂ Post-Auth-Type REJECT { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ -sql ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ attr_filter.access_reject
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ eap
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ remove_reply_message_if_eap ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ Post-Auth-Type Challenge { ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ if (LDAP-Group == "someusers") { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ updateÃÂ { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ reply:Class := "OKOKOKOKOK" ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ else { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ updateÃÂ { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ reply:Class := "NONONONONO" ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ } ÃÂ ÃÂ ÃÂ } }
Where to go from here?
So looking at the log you provided:
(0)ÃÂ ÃÂ ÃÂ Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org