Bug #13093
openLDAP authentication fails with extended query and RFC2307 group lookups enabled
0%
Description
LDAP authentication fails with extended query and RFC2307 group lookups enabled
With Extended Query On and RFC2307 Groups off (Works):¶
First (Why is it searching that base?):
Base
uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(uid=testuser)
Number of Results
0
Then:
Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(&(uid=testuser)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))
Number of Results
1
Then:
Bind to:
User testuser authenticated successfully. This user is a member of groups:
With Extended Query off and RFC2307 Groups on, Use DN for username search on (Works):¶
First:
bind to
Distinguished Name
uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Successful
Then:
Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(uid=testuser)
Number of Results
1
Then (Yes, it was logged twice):
Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(uid=testuser)
Number of Results
1
Then:
Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(&(objectClass=groupOfNames)(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com))
Number of Results
3
User testuser authenticated successfully. This user is a member of groups:
Nextcloud
VPN
With Extended Query on and RFC2307 Groups on, Use DN for username search on (Fails):¶
Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(&(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))
Number of Results
0
The following input errors were detected:
Authentication failed.
This looks like it is putting the extended query where it does not belong. It also looks like it is searching for the user as if it was a group with the member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com query but it's also setting an objectClass=inetOrgPerson which is never going to succeed.
To me it should perform the user search with the extended query to get the DN then use that DN to search groupOfNames for the member=
Seems like it should test the bind to authenticate the user before the group search just to save unnecessary lookups if the authentication is just going to fail.
One should be able to use an extended query to limit the users to a specific group and do a query to get the list of groups the user is a member of. That does not look to be possible currently.
Related issues
Updated by Viktor Gurov 2 months ago
- Related to Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers. added
Updated by Viktor Gurov 2 months ago
- Assignee set to Viktor Gurov
- Target version set to 2.7.0
- Plus Target Version set to 22.05
I found an issue where the Extended query is always used, regardless of the "Enable extended query" checkbox:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/746
But unable to reproduce other issues.
Could you provide a sanitized <authserver>
config entry to check?
Updated by Chris Linstruth 2 months ago
<authserver> <refid>625fe60aa1df2</refid> <type>ldap</type> <name>JumpCloud</name> <ldap_caref>global</ldap_caref> <ldap_certref></ldap_certref> <host>ldap.jumpcloud.com</host> <ldap_port>389</ldap_port> <ldap_urltype>STARTTLS Encrypted</ldap_urltype> <ldap_protver>3</ldap_protver> <ldap_scope>one</ldap_scope> <ldap_basedn><![CDATA[ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com]]></ldap_basedn> <ldap_authcn><![CDATA[ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com]]></ldap_authcn> <ldap_extended_enabled>yes</ldap_extended_enabled> <ldap_extended_query><![CDATA[&(objectClass=inetOrgPerson)(memberOf=cn=VPN,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)]]></ldap_extended_query> <ldap_attr_user><![CDATA[uid]]></ldap_attr_user> <ldap_attr_group><![CDATA[cn]]></ldap_attr_group> <ldap_attr_member><![CDATA[member]]></ldap_attr_member> <ldap_attr_groupobj><![CDATA[groupOfNames]]></ldap_attr_groupobj> <ldap_pam_groupdn></ldap_pam_groupdn> <ldap_binddn><![CDATA[uid=binddn,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com]]></ldap_binddn> <ldap_bindpw><![CDATA[secret_squirrel_bind_password]]></ldap_bindpw> <ldap_timeout>25</ldap_timeout> <ldap_rfc2307_userdn></ldap_rfc2307_userdn> </authserver>
Updated by Jim Pingle about 1 month ago
- Status changed from New to Feedback
The PR above was merged a while ago, needs re-tested.
If there is still a problem this should be moved to 22.09 so we have more time to work out the details.
Updated by Chris Linstruth 29 days ago
I think this is probably still not right.
Updated by Chris Linstruth 29 days ago
Extended query works.
RFC2307 groups work.
Authentication fails when both are enabled.
The site I'm testing against is SSL so I have no visibility. I need to spin up another LDAP server that supports memberOf to test it in-the-clear which is a non-trivial project.
Updated by Jim Pingle 29 days ago
- Status changed from Feedback to In Progress
- Assignee changed from Viktor Gurov to Chris Linstruth
- Plus Target Version changed from 22.05 to 22.09
OK, we'll nudge this forward for now and proceed once we have more detail.
Updated by Jim Pingle about 14 hours ago
- Plus Target Version changed from 22.09 to 22.11
Updated by Chris Linstruth about 9 hours ago
OK. It looks like it is combining the RFC2307 query and the extended query into something that cannot match when both extended query and RFC2307 groups are enabled. This is after the initial DN search and bind as the authenticating user. In other words, during the extended query. Since this must return success for the extended query to work, it always fails.
Filter: (&(member=uid=cjl,cn=users,cn=accounts,dc=example,dc=com)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))
The extended query is set to memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com
and member
is the RFC2307 group attribute that is in the posixGroup entries. Both of those filters will never match a posixUser entry.
I believe it should initially filter on (&(DN_RETURNED_BY_INITIAL_SEARCH)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))
Then it should move on to processing the RFC2307 group memberships.
Updated by Chris Linstruth about 8 hours ago
(&(DN_RETURNED_BY_INITIAL_SEARCH)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))
That doesn't work. The DN doesn't match.
This works: (&(uid=cjl)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))
I don't know if that's too broad - possibly including other entries.
Uncle Internet says to do this to limit the search to one DN:
ldapsearch -x -D 'uid=binduser,cn=sysaccounts,cn=etc,dc=example,dc=com' -b 'uid=cjl,cn=users,cn=accounts,dc=example,dc=com' -s base -W '(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com)'