Hello Rob, The problem is the logs indicate the exact same search request (only timeLimit differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request fail and succeed for ldapsearch:
[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 <=FAIL [06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND [06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 nentries=0 etime=0.007689079 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001385435 <=SUCCEED [06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND The Result: # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree # filter: (&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) # requesting: ALL # # ipausers, groups, accounts, domain.local dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject description: Default group for all users cn: ipausers ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Victor On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via FreeIPA-users <[email protected]> wrote: Victor via FreeIPA-users wrote: > Hello, > > Everything is set up on the same machine as described here: > https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 > > I'm trying to check whether a user belongs to a group or not: > > (0) if (LDAP-Group == "someusers") { > (0) Searching for user in group "someusers" > rlm_ldap (ldap): Reserved connection (6) > (0) Using user DN from request > "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" > (0) Checking for user in group objects > (0) EXPAND > (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) > (0) --> > (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) > (0) Performing search in > "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter > "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", > scope "sub" > (0) Waiting for search result... > (0) Search returned no results > (0) Checking user object's memberOf attributes > (0) Performing unfiltered search in > "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" > (0) Waiting for search result... > (0) No group membership attribute(s) found in user object > rlm_ldap (ldap): Released connection (6) > > but > > ldapsearch -b "dc=domain,dc=local" > "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" > -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=domain,dc=local> with scope subtree > # filter: > (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) > # requesting: ALL > # > > # someusers, groups, accounts, domain.local > dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local > objectClass: top > objectClass: groupofnames > objectClass: nestedgroup > objectClass: ipausergroup > objectClass: ipaobject > description: Default group for all users > cn: someusers > ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f > member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local > member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > and > > > ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" -D > uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # common_user, users, accounts, domain.local > dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local > displayName: utilisateur banal > uid: common_user > krbCanonicalName: [email protected] > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipauserauthtypeclass > loginShell: /bin/bash > initials: ub > gecos: utilisateur banal > sn: banal > homeDirectory: /home/common_user > mail: [email protected] > krbPrincipalName: [email protected] > givenName: utilisateur > cn: utilisateur banal > ipaUniqueID: some_unique_ID > uidNumber: theSameNumber > gidNumber: theSameNumber > krbPasswordExpiration: the_pass_exp > krbLastPwdChange: the_pass_exp > memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local > memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local > ipaUserAuthType: o_type > ipaSshPubKey: some_pubkey > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Some of the configuration: > > /etc/raddb/sites-enabled/default > ... > user { > base_dn = "${..base_dn}" > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" > sasl { > } > } > group { > base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' > scope = 'sub' > membership_filter = > "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" > membership_attribute = 'memberOf' > } > > /etc/raddb/mods-enabled/ldap > ... > post-auth { > update { > &reply: += &session-state: > } > -sql > exec > remove_reply_message_if_eap > Post-Auth-Type REJECT { > -sql > attr_filter.access_reject > > eap > > remove_reply_message_if_eap > } > Post-Auth-Type Challenge { > } > if (LDAP-Group == "someusers") { > update { > reply:Class := "OKOKOKOKOK" > } > } > else { > update { > reply:Class := "NONONONONO" > } > } > } > > Where to go from here? So looking at the log you provided: (0) Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub" I can't make heads or tails of that filter, but it requires that cn=someusers and that will never be true so it will always fail. I would closely examine the 389-ds access logs after trying to identify/authenticate users to see what the logged filters look like to see if they are the same. I know literally zero about radius so take this with a grain of salt. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
