On Wed, 31 Aug 2016, Mike Jacobacci wrote:
Hi,

I have just got authentication against my FreeIPA system working by
following this: https://ask.fedoraproject.org/en/que...uthentication/
<https://ask.fedoraproject.org/en/question/63089/how-can-i-integrate-freeipa-with-pfsense-for-authentication/>

The only change I had to make was to set the Search Scope level to
"entire subtree" and I also left the extended query unchecked... With
that setup I am able to authenticate using
"Diagnostics->Authentication".

I really want to restrict access so I can use FreeIPA for our VPN auth
so I tried using the following extended query but it fails:
&(memberOf=cn=admins,cn=groups,cn=accounts,dc=doma in,dc=com)

Looking in pfSense logs, using the extended query (fails):

[24/Aug/2016:11:07:16 -0700] conn=1396 fd=116 slot=116 SSL connection from * to 
*
[24/Aug/2016:11:07:16 -0700] conn=1396 TLS1.2 256-bit AES-GCM
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 BIND dn="" method=128 version=3
[24/Aug/2016:11:07:16 -0700] conn=1396 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 
filter="(&(uid=user)(&(memberOf=cn=admins,cn=group s,cn=accounts,dc=domain,dc=com)))" 
attrs=ALL
[24/Aug/2016:11:07:16 -0700] conn=1396 op=1 RESULT err=0 tag=101 nentries=0 
etime=0
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 UNBIND
[24/Aug/2016:11:07:16 -0700] conn=1396 op=2 fd=116 closed - U1

Without the query (success):
[30/Aug/2016:10:23:25 -0700] conn=6432 fd=110 slot=110 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 SRCH base="cn=compat,dc=domain,dc=com" 
scope=2 filter="(uid=user1)” attrs=ALL
[30/Aug/2016:10:23:25 -0700] conn=6432 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 BIND 
dn="uid=user1,cn=users,cn=compat,dc=domain,dc=com " method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6432 op=2 RESULT err=0 tag=97 nentries=0 etime=0 
dn="uid=user1,cn=users,cn=accounts,dc=domain,dc=co m"
[30/Aug/2016:10:23:25 -0700] conn=6433 fd=118 slot=118 SSL connection from * to 
*
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6432 op=3 fd=110 closed - U1
[30/Aug/2016:10:23:25 -0700] conn=6433 TLS1.2 256-bit AES-GCM
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 BIND dn="" method=128 version=3
[30/Aug/2016:10:23:25 -0700] conn=6433 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn=""
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 SRCH base="uid=user1,cn=users,cn=compat,dc=domain,dc=co 
m" scope=2 filter="(uid=user1)” attrs="memberOf"
[30/Aug/2016:10:23:25 -0700] conn=6433 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 UNBIND
[30/Aug/2016:10:23:25 -0700] conn=6433 op=2 fd=118 closed - U1

I changed the cn from accounts to compat for the auth container, but
that doesn't make a difference. The last search shows attrs="memberOf",
but anytime I add an extended query the logs show attrs="all", not sure
if that means anything. I tried adding the full memberOf path under the
group member attribute, but that didn't restrict access although the
auth is still success.

[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 SRCH base="uid=user3,cn=users,cn=compat,dc=domain,dc=co 
m" scope=2 filter="(uid=user3)" attrs="memberof=cn=admins,cn=groups,cn=compat,dc=d 
omain,dc=com"
[30/Aug/2016:10:42:12 -0700] conn=6460 op=1 RESULT err=0 tag=101 nentries=1 
etime=0

When doing an ldapsearch, I can see the group:

# admins, groups, compat, domain.com
dn: cn=admins,cn=groups,cn=compat,dc=domain,dc=com
ipaAnchorUUID::
gidNumber: 50000
memberUid: admin
memberUid: user1
memberUid: user2
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
cn: admins

Any help would be greatly appreciated.
FreeIPA 4.x requires authenticated bind to be able to see member
attributes of the groups in the main subtree. Your pfSense is using
anonymous bind, thus not being able to see them.

Also, don't use cn=compat,$suffix subtree, it does not help for your task.
Your pfSense device expects different schema than the one provided by
the Compatibility Tree.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to