Hi,
Can anyone please tell me what the correct filter for checking if a username is
a member of a certain security group within the sources>rules please? Currently
I have two rules, one to give full web admin access, another to give node
access, and another catch all rule just to allow my users on. However the
filter in my Full Web Admin rule is failing, and PacketFence is giving
EVERYBODY full access to the web gui.
I've tried the full DN of the group, but this also isn't working.
Authentication.conf for that source and rules is:
[DC01]
description=DC01
password=password
scope=sub
binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=ac,DC=uk
basedn=OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
usernameattribute=sAMAccountName
encryption=none
port=389
type=AD
host=192.168.1.1
[DC01 rule Full_Web_Admin]
description=
match=any
action0=set_access_level=ALL
action1=set_role=default
action2=set_unreg_date=2015-08-31
condition0=memberOf,is member of, CN=SCS,OU=IT,OU=Library,OU=Finance,
OU=Staff,OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
[DCCY01 rule Advisors_Access]
description=
match=any
action0=set_access_level=Node Manager
action1=set_role=default
action2=set_unreg_date=2015-08-31
condition0=memberOf,is member of, CN=PFAdmin,OU=IT,OU=Library,OU=Finance,
OU=Staff,OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
[DCCY01 rule default]
description=
match=all
action0=set_role=default
action1=set_unreg_date=2015-08-31
https.admin.log shows the user conf8, a standard user, logging into the web
portal:
Aug 21 10:06:23 httpd.admin(3338) ERROR: unable to read password file
'/usr/local/pf/conf/admin.conf'
(pf::Authentication::Source::HtpasswdSource::authenticate)
Aug 21 10:06:23 httpd.admin(3338) WARN: [DC01] Authentication successful for
conf8 (pf::Authentication::Source::LDAPSource::authenticate)
Aug 21 10:06:23 httpd.admin(3338) INFO: Authentication successful for conf8 in
source DC01 (AD) (pf::authentication::authenticate)
Aug 21 10:06:23 httpd.admin(3338) ERROR: [DCCY01] Unable to execute search
(|(member=CN=Temporary Conferencing (conf8),OU=Conference
Attendees,OU=Other,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk)(uniqueMember=CN=Temporary
Conferencing (conf8),OU=Conference Attendees,OU=Other,OU=User
Accounts,DC=internal,DC=uwic,DC=ac,DC=uk)(memberUid=CN=CNF,OU=Conference
Attendees,OU=Other,OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk)) from
CN=SCS,OU=IT,OU=Library,OU=Finance, OU=Staff,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk on 192.168.1.1:389, we skip the
condition (Bad filter).
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 21 10:06:23 httpd.admin(3338) INFO: [DC01 Full_Web_Admin] Found a match
(CN=Temporary Conferencing (conf8),OU=Conference Attendees,OU=Other,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 21 10:06:23 httpd.admin(3338) INFO: Matched rule (Full_Web_Admin) in source
DC01, returning actions. (pf::Authentication::Source::match)
Can anyone help please?
Cheers,
Andi
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
