Hello Rob,
The problem is the logs indicate the exact same search request (only timeLimit differs: 10
vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for
ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND
dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3
[06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0
etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local"
[06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH
base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2
filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))"
attrs=ALL
[06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0
etime=0.000957345 <=FAIL
[06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND
[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND
dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3
[06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0
etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local"
[06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH
base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2
filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))"
attrs=ALL
[06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1
etime=0.001385435 <=SUCCEED
[06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND
The Result:
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree
# filter:
(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))
# requesting: ALL
#
# ipausers, groups, accounts, domain.local
dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce
member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Victor
On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Victor via FreeIPA-users wrote:
Hello,
Everything is set up on the same machine as described here:
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_bas...
I'm trying to check whether a user belongs to a group or not:
(0) if (LDAP-Group == "someusers") {
(0) Searching for user in group "someusers"
rlm_ldap (ldap): Reserved connection (6)
(0) Using user DN from request
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"
(0) Checking for user in group objects
(0) EXPAND
(&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0) -->
(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0) Performing search in
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter
"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))",
scope "sub"
(0) Waiting for search result...
(0) Search returned no results
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope
"base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (6)
but
ldapsearch -b "dc=domain,dc=local"
"(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))"
-D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=local> with scope subtree
# filter:
(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))
# requesting: ALL
#
# someusers, groups, accounts, domain.local
dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: someusers
ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f
member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
and
ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D
uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#
# common_user, users, accounts, domain.local
dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
displayName: utilisateur banal
uid: common_user
krbCanonicalName: common_user(a)DOMAIN.LOCAL
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipauserauthtypeclass
loginShell: /bin/bash
initials: ub
gecos: utilisateur banal
sn: banal
homeDirectory: /home/common_user
mail: common_user(a)domain.local
krbPrincipalName: common_user(a)DOMAIN.LOCAL
givenName: utilisateur
cn: utilisateur banal
ipaUniqueID: some_unique_ID
uidNumber: theSameNumber
gidNumber: theSameNumber
krbPasswordExpiration: the_pass_exp
krbLastPwdChange: the_pass_exp
memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local
ipaUserAuthType: o_type
ipaSshPubKey: some_pubkey
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default
...
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local'
scope = 'sub'
membership_filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"
membership_attribute = 'memberOf'
}
/etc/raddb/mods-enabled/ldap
...
post-auth {
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
if (LDAP-Group == "someusers") {
update {
reply:Class := "OKOKOKOKOK"
}
}
else {
update {
reply:Class := "NONONONONO"
}
}
}
Where to go from here?
So looking at the log you provided:
(0) Performing search in
"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter
"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))",
scope "sub"
I can't make heads or tails of that filter, but it requires that
cn=someusers and that will never be true so it will always fail.
I would closely examine the 389-ds access logs after trying to
identify/authenticate users to see what the logged filters look like to
see if they are the same.
I know literally zero about radius so take this with a grain of salt.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...