Hi Andi,
i think this issue has been fixed with this commit
https://github.com/inverse-inc/packetfence/commit/791db0a7cc6eb5a85fd6c827f737c5598a52f2c8
Can you run pf-maint.pl under addons and retry ?
Regards
Fabrice
Le 2014-08-21 05:23, Morris, Andi a écrit :
Hi,
Can anyone please tell me what the correct filter for checking if a
username is a member of a certain security group within the
sources>rules please? Currently I have two rules, one to give full web
admin access, another to give node access, and another catch all rule
just to allow my users on. However the filter in my Full Web Admin
rule is failing, and PacketFence is giving EVERYBODY full access to
the web gui.
I’ve tried the full DN of the group, but this also isn’t working.
Authentication.conf for that source and rules is:
[DC01]
description=DC01
password=password
scope=sub
binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=ac,DC=uk
basedn=OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
usernameattribute=sAMAccountName
encryption=none
port=389
type=AD
host=192.168.1.1
[DC01 rule Full_Web_Admin]
description=
match=any
action0=set_access_level=ALL
action1=set_role=default
action2=set_unreg_date=2015-08-31
condition0=memberOf,is member of, CN=SCS,OU=IT,OU=Library,OU=Finance,
OU=Staff,OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
[DCCY01 rule Advisors_Access]
description=
match=any
action0=set_access_level=Node Manager
action1=set_role=default
action2=set_unreg_date=2015-08-31
condition0=memberOf,is member of,
CN=PFAdmin,OU=IT,OU=Library,OU=Finance, OU=Staff,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk
[DCCY01 rule default]
description=
match=all
action0=set_role=default
action1=set_unreg_date=2015-08-31
https.admin.log shows the user conf8, a standard user, logging into
the web portal:
Aug 21 10:06:23 httpd.admin(3338) ERROR: unable to read password file
'/usr/local/pf/conf/admin.conf'
(pf::Authentication::Source::HtpasswdSource::authenticate)
Aug 21 10:06:23 httpd.admin(3338) WARN: [DC01] Authentication
successful for conf8
(pf::Authentication::Source::LDAPSource::authenticate)
Aug 21 10:06:23 httpd.admin(3338) INFO: Authentication successful for
conf8 in source DC01 (AD) (pf::authentication::authenticate)
Aug 21 10:06:23 httpd.admin(3338) ERROR: [DCCY01] Unable to execute
search (|(member=CN=Temporary Conferencing (conf8),OU=Conference
Attendees,OU=Other,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk)(uniqueMember=CN=Temporary
Conferencing (conf8),OU=Conference Attendees,OU=Other,OU=User
Accounts,DC=internal,DC=uwic,DC=ac,DC=uk)(memberUid=CN=CNF,OU=Conference
Attendees,OU=Other,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk)) from
CN=SCS,OU=IT,OU=Library,OU=Finance, OU=Staff,OU=User
Accounts,DC=internal,DC=domain,DC=ac,DC=uk on 192.168.1.1:389, we skip
the condition (Bad filter).
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 21 10:06:23 httpd.admin(3338) INFO: [DC01 Full_Web_Admin] Found a
match (CN=Temporary Conferencing (conf8),OU=Conference
Attendees,OU=Other,OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 21 10:06:23 httpd.admin(3338) INFO: Matched rule (Full_Web_Admin)
in source DC01, returning actions. (pf::Authentication::Source::match)
Can anyone help please?
Cheers,
Andi
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
