Hello Alexander, [06/Aug/2020:08:58:31.135610842 +0200] conn=719 fd=104 slot=104 connection from X.X.X.X to Y.Y.Y.Y [06/Aug/2020:08:58:31.135957181 +0200] conn=719 op=0 BIND dn="" method=128 version=3 [06/Aug/2020:08:58:31.136093561 +0200] conn=719 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000442556 dn="" [06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" attrs=ALL [06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 nentries=0 etime=0.000957345 [06/Aug/2020:09:04:01.545769384 +0200] conn=719 op=-1 fd=104 closed - B1
So it seems the bind is done in an another connexion, not used for the group search? [06/Aug/2020:08:58:31.132127271 +0200] conn=718 fd=93 slot=93 connection X.X.X.X to Y.Y.Y.Y [06/Aug/2020:08:58:31.132672386 +0200] conn=718 op=0 BIND dn="" method=128 version=3 [06/Aug/2020:08:58:31.132816249 +0200] conn=718 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000612608 dn="" [06/Aug/2020:08:58:31.133647534 +0200] conn=718 op=1 SRCH base="cn=accounts,dc=domain,dc=local" scope=2 filter="(uid=baseuser)" attrs="userPassword radiuscontrolattribute radiusrequestattribute radiusreplyattribute" [06/Aug/2020:08:58:31.134478148 +0200] conn=718 op=1 RESULT err=0 tag=101 nentries=1 etime=0.001025845 [06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 [06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001149384 dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" [06/Aug/2020:09:04:01.545769134 +0200] conn=718 op=-1 fd=93 closed - B1 Victor On Thursday, August 6, 2020, 07:56:34 AM UTC, Alexander Bokovoy <[email protected]> wrote: On to, 06 elo 2020, Victor via FreeIPA-users wrote: >Hello Rob, > >The problem is the logs indicate the exact same search request (only timeLimit >differs: 10 vs 0) and bind credentials which in the case of rlm_ldap request >fail and succeed for ldapsearch: > >[06/Aug/2020:08:58:31.136692919 +0200] conn=718 op=2 BIND >dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 >[06/Aug/2020:08:58:31.137715478 +0200] conn=718 op=2 RESULT err=0 tag=97 >nentries=0 etime=0.001149384 >dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" >[06/Aug/2020:08:58:31.138383140 +0200] conn=719 op=1 SRCH >base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 >filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" > attrs=ALL >[06/Aug/2020:08:58:31.139216545 +0200] conn=719 op=1 RESULT err=0 tag=101 >nentries=0 etime=0.000957345 <=FAIL >[06/Aug/2020:08:58:37.001642847 +0200] conn=709 op=8 UNBIND Could you please show the full output for the conn=719? What it was using to bind to LDAP? If it is an anonymous connection, it is clearly cannot see member attribute as default ACIs prevent doing so for anonymous connections. You need to always be authenticated on the connection that attempts to look up member / memberof attributes. > >[06/Aug/2020:09:11:58.208794748 +0200] conn=728 op=0 BIND >dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" method=128 version=3 >[06/Aug/2020:09:11:58.209617909 +0200] conn=728 op=0 RESULT err=0 tag=97 >nentries=0 etime=0.007689079 >dn="uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local" >[06/Aug/2020:09:11:58.210289373 +0200] conn=728 op=1 SRCH >base="cn=groups,cn=accounts,dc=domain,dc=local" scope=2 >filter="(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local))" > attrs=ALL >[06/Aug/2020:09:11:58.211507678 +0200] conn=728 op=1 RESULT err=0 tag=101 >nentries=1 etime=0.001385435 <=SUCCEED >[06/Aug/2020:09:11:58.212246026 +0200] conn=728 op=2 UNBIND > >The Result: ># extended LDIF ># ># LDAPv3 ># base <cn=groups,cn=accounts,dc=domain,dc=local> with scope subtree ># filter: >(&(cn=*)(objectClass=ipausergroup)(member=uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local)) ># requesting: ALL ># > ># ipausers, groups, accounts, domain.local >dn: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=local >objectClass: top >objectClass: groupofnames >objectClass: nestedgroup >objectClass: ipausergroup >objectClass: ipaobject >description: Default group for all users >cn: ipausers >ipaUniqueID: c862bf44-d36b-11ea-84a9-3ed34312a8ce >member: uid=baseuser,cn=users,cn=accounts,dc=domain,dc=local > ># search result >search: 2 >result: 0 Success > ># numResponses: 2 ># numEntries: 1 > > >Victor > > > > On Wednesday, August 5, 2020, 05:42:17 PM UTC, Rob Crittenden via > FreeIPA-users <[email protected]> wrote: > > > > > > Victor via FreeIPA-users wrote: >> Hello, >> >> Everything is set up on the same machine as described here: >> https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 >> >> I'm trying to check whether a user belongs to a group or not: >> >> (0)  if (LDAP-Group == "someusers") { >> (0)  Searching for user in group "someusers" >> rlm_ldap (ldap): Reserved connection (6) >> (0)  Using user DN from request >> "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" >> (0)  Checking for user in group objects >> (0)   EXPAND >> (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) >> (0)     --> >> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local)))) >> (0)   Performing search in >> "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter >> "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", >> scope "sub" >> (0)   Waiting for search result... >> (0)   Search returned no results >> (0)  Checking user object's memberOf attributes >> (0)   Performing unfiltered search in >> "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base" >> (0)   Waiting for search result... >> (0)  No group membership attribute(s) found in user object >> rlm_ldap (ldap): Released connection (6) >> >> but >> >> ldapsearch -b "dc=domain,dc=local" >> "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" >> -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=domain,dc=local> with scope subtree >> # filter: >> (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal)) >> # requesting: ALL >> # >> >> # someusers, groups, accounts, domain.local >> dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local >> objectClass: top >> objectClass: groupofnames >> objectClass: nestedgroup >> objectClass: ipausergroup >> objectClass: ipaobject >> description: Default group for all users >> cn: someusers >> ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f >> member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local >> member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> and >> >> >> ldapsearch -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" >> -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope >> subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # common_user, users, accounts, domain.local >> dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local >> displayName: utilisateur banal >> uid: common_user >> krbCanonicalName: [email protected] >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetorgperson >> objectClass: inetuser >> objectClass: posixaccount >> objectClass: krbprincipalaux >> objectClass: krbticketpolicyaux >> objectClass: ipaobject >> objectClass: ipasshuser >> objectClass: ipaSshGroupOfPubKeys >> objectClass: mepOriginEntry >> objectClass: ipauserauthtypeclass >> loginShell: /bin/bash >> initials: ub >> gecos: utilisateur banal >> sn: banal >> homeDirectory: /home/common_user >> mail: [email protected] >> krbPrincipalName: [email protected] >> givenName: utilisateur >> cn: utilisateur banal >> ipaUniqueID: some_unique_ID >> uidNumber: theSameNumber >> gidNumber: theSameNumber >> krbPasswordExpiration: the_pass_exp >> krbLastPwdChange: the_pass_exp >> memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local >> memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local >> ipaUserAuthType: o_type >> ipaSshPubKey: some_pubkey >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> Some of the configuration: >> >> /etc/raddb/sites-enabled/default >> ... >> user { >>       base_dn = "${..base_dn}" >>       filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" >>       sasl { >>       } >>    } >>    group { >>       base_dn = >> 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local' >>       scope = 'sub' >>       membership_filter = >> "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" >>       membership_attribute = 'memberOf' >>    } >> >> /etc/raddb/mods-enabled/ldap >> ... >> post-auth { >>    update { >>       &reply: += &session-state: >>    } >>    -sql >>    exec >>    remove_reply_message_if_eap >>    Post-Auth-Type REJECT { >>       -sql >>       attr_filter.access_reject >> >>       eap >> >>       remove_reply_message_if_eap >>    } >>    Post-Auth-Type Challenge { >>    } >>    if (LDAP-Group == "someusers") { >>        update { >>            reply:Class := "OKOKOKOKOK" >>       } >>    } >>    else { >>        update { >>            reply:Class := "NONONONONO" >>       } >>    } >> } >> >> Where to go from here? > >So looking at the log you provided: > >(0)   Performing search in >"uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter >"(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", >scope "sub" > >I can't make heads or tails of that filter, but it requires that >cn=someusers and that will never be true so it will always fail. > >I would closely examine the 389-ds access logs after trying to >identify/authenticate users to see what the logged filters look like to >see if they are the same. > >I know literally zero about radius so take this with a grain of salt. > >rob >_______________________________________________ >FreeIPA-users mailing list -- [email protected] >To unsubscribe send an email to [email protected] >Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: >https://lists.fedorahosted.org/archives/list/[email protected] >_______________________________________________ >FreeIPA-users mailing list -- [email protected] >To unsubscribe send an email to [email protected] >Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: >https://lists.fedorahosted.org/archives/list/[email protected] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
