Group checking in LDAP module

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Group checking in LDAP module

uj2.hahn
Hi, I have some (probably) basic questions how to deal with Group checks
in LDAP module.

I setup LDAP with OpenLDAP and authorization works fine. Now I want to
extend functionality by some group related post-auth checks.
Each user is a member of a group. Some users are members of more than
one group.

freeradius -X shows me the following lines:

(0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name
"lehrer"
(0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
(0) ldap: Performing unfiltered search in
"cn=gast,ou=groups,dc=kms,dc=de", scope "base"
(0) ldap: Waiting for search result...
(0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
(0) ldap: Adding cacheable user object memberships
(0) ldap: &control:LDAP-Group += "lehrer"
(0) ldap: &control:LDAP-Group += "gast"

This is all fine because the user belongs to two groups.
My assumption is, that control:LDAP-Group now contains both group names,
e.g. "lehrer gast".
For debugging purposes I output the value as reply message in the
post-auth section.
But logfile says:

(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update reply {
(0) EXPAND %{control:LDAP-Group}
(0) --> lehrer
(0) Reply-Message := lehrer

Here the output is just the first group name, the other one is missing.
Why is that?
------------------------------------------------------------------------------------------------------------------------------------
And there is a second question:

LDAP module has a check filter in the group section :

membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

During run time this filter does not generate any output:

(0) ldap: EXPAND
(&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) ldap: -->
(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
(0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter
"(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))",
scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
(0) ldap: No cacheable group memberships found in group objects

This is strange. When I run ldapsearch with same filter I do get results:

ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de  -s sub
"(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"
dn: cn=lehrer,ou=groups,dc=kms,dc=de
cn: lehrer
description: All users
objectClass: groupOfNames
objectClass: top
member: uid=uhahn,ou=people,dc=kms,dc=de
member: uid=mmeier,ou=people,dc=kms,dc=de

dn: cn=gast,ou=groups,dc=kms,dc=de
cn: gast
description: All users
objectClass: groupOfNames
objectClass: top
member: uid=gast,ou=people,dc=kms,dc=de
member: uid=uhahn,ou=people,dc=kms,dc=de

What's wrong here?

Thanks a lot for help

Uwe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Group checking in LDAP module

Alan DeKok-2
On Jan 5, 2020, at 12:21 PM, [hidden email] wrote:

>
> Hi, I have some (probably) basic questions how to deal with Group checks in LDAP module.
>
> I setup LDAP with OpenLDAP and authorization works fine. Now I want to extend functionality by some group related post-auth checks.
> Each user is a member of a group. Some users are members of more than one group.
>
> freeradius -X shows me the following lines:
>
> (0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name "lehrer"
> (0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
> (0) ldap: Performing unfiltered search in "cn=gast,ou=groups,dc=kms,dc=de", scope "base"
> (0) ldap: Waiting for search result...
> (0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
> (0) ldap: Adding cacheable user object memberships
> (0) ldap: &control:LDAP-Group += "lehrer"
> (0) ldap: &control:LDAP-Group += "gast"

  Note: two "LDAP-Group" attributes.

> This is all fine because the user belongs to two groups.
> My assumption is, that control:LDAP-Group now contains both group names, e.g. "lehrer gast".
> For debugging purposes I output the value as reply message in the post-auth section.
> But logfile says:
>
> (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
> (0) post-auth {
> (0) update reply {
> (0) EXPAND %{control:LDAP-Group}
> (0) --> lehrer

  Which is the first one.  Because %{control:LDAP-Group} only gets the first one.  See "man unlang".

> (0) Reply-Message := lehrer
>
> Here the output is just the first group name, the other one is missing.
> Why is that?

  If you want both, you should use %{control:LDAP-Group[*]}.  Again, see "man unlang".

> ------------------------------------------------------------------------------------------------------------------------------------
> And there is a second question:
>
> LDAP module has a check filter in the group section :
>
> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>
> During run time this filter does not generate any output:
>
> (0) ldap: EXPAND (&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (0) ldap: --> (&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
> (0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter "(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results

  That seems clear.  The filter doesn't return any results.

> (0) ldap: No cacheable group memberships found in group objects
>
> This is strange. When I run ldapsearch with same filter I do get results:
>
> ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de  -s sub "(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"

  Does the RADIUS server have permission to read those attributes.  See mods-available/ldap in recent releases.  It has complete instructions for running ldapsearch.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Group checking in LDAP module

uj2.hahn
Hi, Alan!
Thanks a lot for your response.
I did  found out the "+=" operator behavior already before. This is
pretty different from other
languages I know. Anyway I fixed it with same solution you wrote me.

For the second question (no output from group filter) I found the
reason. My base DN setting
was incorrect.
Now everything is working fine and I can proceed to next step. I'm
afraid then I will come up
with new basic questions......

Regards
Uwe

On 06.01.2020 18:02, Alan DeKok wrote:

> On Jan 5, 2020, at 12:21 PM, [hidden email] wrote:
>> Hi, I have some (probably) basic questions how to deal with Group checks in LDAP module.
>>
>> I setup LDAP with OpenLDAP and authorization works fine. Now I want to extend functionality by some group related post-auth checks.
>> Each user is a member of a group. Some users are members of more than one group.
>>
>> freeradius -X shows me the following lines:
>>
>> (0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name "lehrer"
>> (0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
>> (0) ldap: Performing unfiltered search in "cn=gast,ou=groups,dc=kms,dc=de", scope "base"
>> (0) ldap: Waiting for search result...
>> (0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
>> (0) ldap: Adding cacheable user object memberships
>> (0) ldap: &control:LDAP-Group += "lehrer"
>> (0) ldap: &control:LDAP-Group += "gast"
>    Note: two "LDAP-Group" attributes.
>
>> This is all fine because the user belongs to two groups.
>> My assumption is, that control:LDAP-Group now contains both group names, e.g. "lehrer gast".
>> For debugging purposes I output the value as reply message in the post-auth section.
>> But logfile says:
>>
>> (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
>> (0) post-auth {
>> (0) update reply {
>> (0) EXPAND %{control:LDAP-Group}
>> (0) --> lehrer
>    Which is the first one.  Because %{control:LDAP-Group} only gets the first one.  See "man unlang".
>
>> (0) Reply-Message := lehrer
>>
>> Here the output is just the first group name, the other one is missing.
>> Why is that?
>    If you want both, you should use %{control:LDAP-Group[*]}.  Again, see "man unlang".
>
>> ------------------------------------------------------------------------------------------------------------------------------------
>> And there is a second question:
>>
>> LDAP module has a check filter in the group section :
>>
>> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>>
>> During run time this filter does not generate any output:
>>
>> (0) ldap: EXPAND (&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
>> (0) ldap: --> (&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
>> (0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter "(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))", scope "sub"
>> (0) ldap: Waiting for search result...
>> (0) ldap: Search returned no results
>    That seems clear.  The filter doesn't return any results.
>
>> (0) ldap: No cacheable group memberships found in group objects
>>
>> This is strange. When I run ldapsearch with same filter I do get results:
>>
>> ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de  -s sub "(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"
>    Does the RADIUS server have permission to read those attributes.  See mods-available/ldap in recent releases.  It has complete instructions for running ldapsearch.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html