Bug#746483: marked as done (openvpn-auth-ldap: RFC2307 group support)

Mon, 05 Aug 2019 17:21:23 -0700 

Your message dated Tue, 06 Aug 2019 00:18:00 +0000
with message-id <[email protected]>
and subject line Bug#746483: fixed in openvpn-auth-ldap 2.0.4-1
has caused the Debian Bug report #746483,
regarding openvpn-auth-ldap: RFC2307 group support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
746483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746483
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openvpn-auth-ldap
Version: 2.0.3-5.1
Severity: normal
Tags: upstream patch

Dear Maintainer,

I stumbled accross this issue while setting up ldap authentication for
openvpn:
https://code.google.com/p/openvpn-auth-ldap/issues/detail?id=7

I have included a patch that fixes this issue for me.

Using the patch + setting RFC2307bis parameter to false in the
openvpn-auth-ldap configuration file fixes it for me.

Thanks for considering inclusion in debian.

Cheers,

Frederic

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openvpn-auth-ldap depends on:
ii  libc6          2.13-38+deb7u1
ii  libldap-2.4-2  2.4.31-1+nmu2
ii  libobjc3       4.6.3-14
ii  openvpn        2.2.1-8+deb7u2

openvpn-auth-ldap recommends no packages.

openvpn-auth-ldap suggests no packages.

-- no debconf information

Index: openvpn-auth-ldap-2.0.3/auth-ldap.conf
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/auth-ldap.conf	2007-01-22 19:50:42.000000000 +0100
+++ openvpn-auth-ldap-2.0.3/auth-ldap.conf	2014-04-30 14:08:47.862382000 +0200
@@ -47,6 +47,9 @@
 	#PFTable	ips_vpn_users
 
 	<Group>
+		# Match full user DN if true, uid only if false
+        	RFC2307bis	true
+
 		BaseDN		"ou=Groups,dc=example,dc=com"
 		SearchFilter	"(|(cn=developers)(cn=artists))"
 		MemberAttribute	uniqueMember
Index: openvpn-auth-ldap-2.0.3/src/auth-ldap.m
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/auth-ldap.m	2014-04-30 14:06:28.000000000 +0200
+++ openvpn-auth-ldap-2.0.3/src/auth-ldap.m	2014-04-30 14:09:11.778381467 +0200
@@ -409,6 +409,7 @@
 	TREnumerator *entryIter;
 	TRLDAPEntry *entry;
 	TRLDAPGroupConfig *result = nil;
+	int userNameLength;
 
 	/*
 	 * Groups are loaded into the array in the order that they are listed
@@ -426,15 +427,27 @@
 		/* Error occured, all stop */
 		if (!ldapEntries)
 			break;
-
-		/* Iterate over the returned entries */
-		entryIter = [ldapEntries objectEnumerator];
-		while ((entry = [entryIter nextObject]) != nil) {
-			if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) {
-				/* Group match! */
-				result = groupConfig;
+		if ([groupConfig memberRFC2307BIS]) {
+			/* Iterate over the returned entries */
+			entryIter = [ldapEntries objectEnumerator];
+
+			while ((entry = [entryIter nextObject]) != nil) {
+				if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) {
+					/* Group match! */
+					result = groupConfig;
+				}
+			}
+		} else {
+			/* Iterate over the returned entries */
+			entryIter = [ldapEntries objectEnumerator];
+			while ((entry = [entryIter nextObject]) != nil) {
+				if ([ldap compare: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser rdn]]) {
+					/* Group match! */
+					result = groupConfig;
+				}
 			}
 		}
+
 		[entryIter release];
 		[ldapEntries release];
 		if (result)
@@ -554,6 +567,7 @@
 	int ret = OPENVPN_PLUGIN_FUNC_ERROR;
 
 	username = get_env("username", envp);
+	LFString *userName=[[LFString alloc]initWithCString: username];
 	password = get_env("password", envp);
 	remoteAddress = get_env("ifconfig_pool_remote_ip", envp);
 
@@ -571,6 +585,7 @@
 
 	/* Find the user record */
 	ldapUser = find_ldap_user(ldap, ctx->config, username);
+	[ldapUser setRDN: userName];
 	if (!ldapUser) {
 		/* No such user. */
 		[TRLog warning: "LDAP user \"%s\" was not found.", username];
Index: openvpn-auth-ldap-2.0.3/src/LFAuthLDAPConfig.m
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/LFAuthLDAPConfig.m	2007-01-22 19:50:42.000000000 +0100
+++ openvpn-auth-ldap-2.0.3/src/LFAuthLDAPConfig.m	2014-04-30 14:08:47.878382001 +0200
@@ -79,6 +79,7 @@
 
 	/* Group Section Variables */
 	LF_GROUP_MEMBER_ATTRIBUTE,	/* Group Membership Attribute */
+	LF_GROUP_MEMBER_RFC2307BIS,	/* Look for full DN for user in attribute */
 
 	/* Misc Shared */
 	LF_UNKNOWN_OPCODE,		/* Unknown Opcode */
@@ -146,6 +147,7 @@
 static OpcodeTable GroupSectionVariables[] = {
 	/* name			opcode			multi	required */
 	{ "MemberAttribute",	LF_GROUP_MEMBER_ATTRIBUTE, NO,	NO },
+	{ "RFC2307bis",		LF_GROUP_MEMBER_RFC2307BIS, NO,	NO },
 	{ NULL, 0 }
 };
 
@@ -696,12 +698,22 @@
 
 			switch(opcodeEntry->opcode) {
 				TRLDAPGroupConfig *config;
+				BOOL memberRFC2307BIS;
 
 				case LF_GROUP_MEMBER_ATTRIBUTE:
 					config = [self currentSectionContext];
 					[config setMemberAttribute: [value string]];
 					break;
 
+				case LF_GROUP_MEMBER_RFC2307BIS:
+					config = [self currentSectionContext];
+					if (![value boolValue: &memberRFC2307BIS]) {
+						[self errorBoolValue: value];
+						return;
+					}
+					[config setMemberRFC2307BIS: memberRFC2307BIS];
+					break;
+
 				case LF_LDAP_BASEDN:
 					config = [self currentSectionContext];
 					[config setBaseDN: [value string]];
Index: openvpn-auth-ldap-2.0.3/src/LFLDAPConnection.h
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/LFLDAPConnection.h	2007-01-22 19:50:42.000000000 +0100
+++ openvpn-auth-ldap-2.0.3/src/LFLDAPConnection.h	2014-04-30 14:08:47.882382001 +0200
@@ -56,6 +56,7 @@
 			baseDN: (LFString *) base
 		    attributes: (TRArray *) attributes;
 - (BOOL) compareDN: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value;
+- (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value;
 
 - (BOOL) setReferralEnabled: (BOOL) enabled;
 - (BOOL) setTLSCACertFile: (LFString *) fileName;
Index: openvpn-auth-ldap-2.0.3/src/LFLDAPConnection.m
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/LFLDAPConnection.m	2007-03-22 21:09:51.000000000 +0100
+++ openvpn-auth-ldap-2.0.3/src/LFLDAPConnection.m	2014-04-30 14:08:47.886382001 +0200
@@ -405,6 +405,50 @@
 	return NO;
 }
 
+- (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value {
+	struct timeval	timeout;
+	LDAPMessage	*res;
+	struct berval	bval;
+	int		err;
+	int		msgid;
+
+	/* Set up the ber structure for our value */
+	bval.bv_val = (char *) [value cString];
+	bval.bv_len = [value length] - 1; /* Length includes NULL terminator */
+
+	/* Set up the timeout */
+	timeout.tv_sec = _timeout;
+	timeout.tv_usec = 0;
+
+	/* Perform the compare */
+	if ((err = ldap_compare_ext(ldapConn, [dn cString], [attribute cString], &bval, NULL, NULL, &msgid)) != LDAP_SUCCESS) {
+		[TRLog debug: "LDAP compare failed: %d: %s", err, ldap_err2string(err)];
+		return NO;
+	}
+
+	/* Wait for the result */
+	if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+		err = ldap_get_errno(ldapConn);
+		if (err == LDAP_TIMEOUT)
+			ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
+
+		[TRLog debug: "ldap_compare_ext failed: %s", ldap_err2string(err)];
+		return NO;
+	}
+
+	/* Check the result */
+	if (ldap_parse_result(ldapConn, res, &err, NULL, NULL, NULL, NULL, 1) != LDAP_SUCCESS) {
+		/* Parsing failed */
+		return NO;
+	}
+	if (err == LDAP_COMPARE_TRUE)
+		return YES;
+	else
+		return NO;
+
+	return NO;
+}
+
 
 - (BOOL) _setLDAPOption: (int) opt value: (const char *) value connection: (LDAP *) ldapConn {
 	int err;
Index: openvpn-auth-ldap-2.0.3/src/TRLDAPEntry.h
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/TRLDAPEntry.h	2006-07-26 01:55:47.000000000 +0200
+++ openvpn-auth-ldap-2.0.3/src/TRLDAPEntry.h	2014-04-30 14:08:47.890382001 +0200
@@ -40,11 +40,14 @@
 
 @interface TRLDAPEntry : TRObject {
 	LFString *_dn;
+	LFString *_rdn;
 	TRHash *_attributes;
 }
 
 - (id) initWithDN: (LFString *) dn attributes: (TRHash *) attributes;
 - (LFString *) dn;
+- (LFString *) rdn;
+- (void) setRDN: (LFString *) rdn;
 - (TRHash *) attributes;
 
 @end
Index: openvpn-auth-ldap-2.0.3/src/TRLDAPEntry.m
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/TRLDAPEntry.m	2006-07-26 01:55:47.000000000 +0200
+++ openvpn-auth-ldap-2.0.3/src/TRLDAPEntry.m	2014-04-30 14:08:47.898381999 +0200
@@ -42,6 +42,7 @@
 		return self;
 
 	_dn = [dn retain];
+	_rdn = nil;
 	_attributes = [attributes retain];
 
 	return self;
@@ -49,6 +50,7 @@
 
 - (void) dealloc {
 	[_dn release];
+	[_rdn release];
 	[_attributes release];
 	[super dealloc];
 }
@@ -57,6 +59,14 @@
 	return _dn;
 }
 
+- (LFString *) rdn {
+	return _rdn;
+}
+
+- (void) setRDN: (LFString *) rdn {
+	_rdn=rdn;
+}
+
 - (TRHash *) attributes {
 	return _attributes;
 }
Index: openvpn-auth-ldap-2.0.3/src/TRLDAPGroupConfig.h
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/TRLDAPGroupConfig.h	2006-07-30 22:19:54.000000000 +0200
+++ openvpn-auth-ldap-2.0.3/src/TRLDAPGroupConfig.h	2014-04-30 14:08:47.902381999 +0200
@@ -42,6 +42,7 @@
 	LFString *_baseDN;
 	LFString *_searchFilter;
 	LFString *_memberAttribute;
+	BOOL	 _memberRFC2307BIS;
 	LFString *_pfTable;
 }
 
@@ -54,6 +55,9 @@
 - (LFString *) memberAttribute;
 - (void) setMemberAttribute: (LFString *) memberAttribute;
 
+- (BOOL) memberRFC2307BIS;
+- (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS;
+
 - (LFString *) pfTable;
 - (void) setPFTable: (LFString *) tableName;
 
Index: openvpn-auth-ldap-2.0.3/src/TRLDAPGroupConfig.m
===================================================================
--- openvpn-auth-ldap-2.0.3.orig/src/TRLDAPGroupConfig.m	2006-07-30 22:19:54.000000000 +0200
+++ openvpn-auth-ldap-2.0.3/src/TRLDAPGroupConfig.m	2014-04-30 14:08:47.906382000 +0200
@@ -81,6 +81,14 @@
 	_memberAttribute = [memberAttribute retain];
 }
 
+- (BOOL) memberRFC2307BIS {
+	return (_memberRFC2307BIS);
+}
+
+- (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS {
+	_memberRFC2307BIS = memberRFC2307BIS;
+}
+
 - (void) setPFTable: (LFString *) tableName {
 	if (_pfTable)
 		[_pfTable release];

--- End Message ---
--- Begin Message --- 
Source: openvpn-auth-ldap
Source-Version: 2.0.4-1

We believe that the bug you reported is fixed in the latest version of
openvpn-auth-ldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aniol Marti <[email protected]> (supplier of updated openvpn-auth-ldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 Aug 2019 13:10:09 +0200
Source: openvpn-auth-ldap
Architecture: source
Version: 2.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Aniol Marti <[email protected]>
Changed-By: Aniol Marti <[email protected]>
Closes: 680166 746483 861107 877915
Changes:
 openvpn-auth-ldap (2.0.4-1) unstable; urgency=medium
 .
   * New maintainer (Closes: #877915).
   * Update Debian Standards.
   * Fix problems while searching for a new upstream version.
   * Update Debhelper compat version from 5 to 12.
   * Change home URL from code.google.com to github.com.
   * Replace extra priority to optional.
   * Clean d/rules file.
   * Closes: #746483, #680166, #861107.
Checksums-Sha1:
 77a7ec0aaded9bf784d03e619f91f39bf1071a65 2085 openvpn-auth-ldap_2.0.4-1.dsc
 fb3181f30c298ee546f4cf33fe539cc41464a3b0 209800 
openvpn-auth-ldap_2.0.4.orig.tar.gz
 fd43c96e674a303e4daec65165fecce39a3aab1b 7672 
openvpn-auth-ldap_2.0.4-1.debian.tar.xz
 dd3f8fcff5b1afd03ea8be88e9d5d8ceb74ae9c4 6717 
openvpn-auth-ldap_2.0.4-1_source.buildinfo
Checksums-Sha256:
 b7f4b0886b4f903ccd8bf26b86f5e0be24c69c4c0b642948d54c15007caa674e 2085 
openvpn-auth-ldap_2.0.4-1.dsc
 81f600cdc88adb2258f57df1ed2d87f0afa945f66cbf8897ad50e76f42509168 209800 
openvpn-auth-ldap_2.0.4.orig.tar.gz
 2f30691770279de175e6466a5497c77933d3836dc989f6fec2f749461fbe6fc2 7672 
openvpn-auth-ldap_2.0.4-1.debian.tar.xz
 15067a70fae346e97f67b524a58e3e3d63fc3cadc295761bceb41ce39908a1ae 6717 
openvpn-auth-ldap_2.0.4-1_source.buildinfo
Files:
 2fdc86ba8956d4da8db9ff11818c488f 2085 net optional 
openvpn-auth-ldap_2.0.4-1.dsc
 c4985fbbf88042e28efd1521d03bf658 209800 net optional 
openvpn-auth-ldap_2.0.4.orig.tar.gz
 86741198c3f903c397d532962bb7fcf0 7672 net optional 
openvpn-auth-ldap_2.0.4-1.debian.tar.xz
 531fb3801e276cc21d8d2e761d614f59 6717 net optional 
openvpn-auth-ldap_2.0.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEaUBwKsbetWW2SKTt466XjoNOXn4FAl1IuKoACgkQ466XjoNO
Xn6JsRAA0wnNM4Yu5JsAFCeFb7mcWmUrdKLxFzWyqgA3cDwKvegavjLBALks3atp
SgaB1q3Bq9JlK9iWOMrxRqiQM2TmvfFGKMiMhGjbPRGX4DJfZczHiRgACw27/nVz
N2yomQMAKs1zyJfz23O7i+hICmPPGXzcECYNqXi7t2SrKZUD811woh6tJ60besRa
ozfwVa82MdeFqbLoFMy2NWuNLw2PDuVn1pbGFNhsMcVBG7Egy7m/31UHeMhfPflT
eYhI7wpr449HtDJq2sxdG1F8mbiSL3pfzgj/lrT5+TzHcrEedkaUQRsOb6zpp3z+
uxPHTqH5lNYRgaC8iUj4/BOj5iBY6Odl37nveOCAb1zCm67wSOwSukHkQrq7AsM4
vXgjq549ZdF1MVckRVVhmUGwlCZFoj6jDsZBG/2U8dqD9WdBrv2v++D/R2BVOR8v
5m6iq0afuI1ec1ECAOasqEbQ2wlZVaRwKJFOPAv7mKSAsXUVSpRdqBebb/LAC5Mi
BaJZKUmfaXpDIi6qqQVcNApBkfH8CmHhvPOSau73YDxyyh3xgL9WqQhvsdAvntyn
3d1/ypd4vjNAyqBjSIuYYjgRl10bjV5ThOX8kxZoCdZAj/2JcaWXkbUVvAiiIu0Q
WXQSCiNoVu8e6XFHSsitggP9JA+MTpCYS3rz2oCFtnkLhBdMyC4=
=xjnG
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to