Project

General

Profile

Actions
Copy link

Bug #13093

open

LDAP authentication fails with extended query and RFC2307 group lookups enabled

Added by Chris Linstruth 2 months ago. Updated about 8 hours ago.

Status:
In Progress
Priority:
Normal
Assignee:
Chris Linstruth
Category:
Authentication
Target version:
2.7.0
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.11
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

LDAP authentication fails with extended query and RFC2307 group lookups enabled

With Extended Query On and RFC2307 Groups off (Works):

First (Why is it searching that base?):

Base
 uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
 (uid=testuser)
Number of Results
 0

Then:

Base
 ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
 (&(uid=testuser)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))
Number of Results
 1

Then:

Bind to:
User testuser authenticated successfully. This user is a member of groups:

With Extended Query off and RFC2307 Groups on, Use DN for username search on (Works):

First:

bind to 
   Distinguished Name
 uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com 
  Successful

Then:

Base
 ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com 
Search Filter
 (uid=testuser)
Number of Results
 1

Then (Yes, it was logged twice):

Base
 ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com 
Search Filter
 (uid=testuser)
Number of Results
 1

Then:

Base
 ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
 (&(objectClass=groupOfNames)(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com))
Number of Results
 3
User testuser authenticated successfully. This user is a member of groups:
    Nextcloud
    VPN

With Extended Query on and RFC2307 Groups on, Use DN for username search on (Fails):

Base
 ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
 (&(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))
Number of Results
 0
The following input errors were detected:
  Authentication failed.

This looks like it is putting the extended query where it does not belong. It also looks like it is searching for the user as if it was a group with the member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com query but it's also setting an objectClass=inetOrgPerson which is never going to succeed.

To me it should perform the user search with the extended query to get the DN then use that DN to search groupOfNames for the member=

Seems like it should test the bind to authenticate the user before the group search just to save unnecessary lookups if the authentication is just going to fail.

One should be able to use an extended query to limit the users to a specific group and do a query to get the list of groups the user is a member of. That does not look to be possible currently.

Related issues

Related to Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers.ResolvedSteve Powers05/16/2019

Actions
Actions
Copy link
 #1

Updated by Viktor Gurov 2 months ago

  • Related to Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers. added
Actions
Copy link
 #2

Updated by Viktor Gurov 2 months ago

  • Affected Version set to 2.6.0
Actions
Copy link
 #3

Updated by Viktor Gurov 2 months ago

  • Assignee set to Viktor Gurov
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05

I found an issue where the Extended query is always used, regardless of the "Enable extended query" checkbox:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/746

But unable to reproduce other issues.
Could you provide a sanitized <authserver> config entry to check?

Actions
Copy link
 #4

Updated by Chris Linstruth 2 months ago 

<authserver>
            <refid>625fe60aa1df2</refid>
            <type>ldap</type>
            <name>JumpCloud</name>
            <ldap_caref>global</ldap_caref>
            <ldap_certref></ldap_certref>
            <host>ldap.jumpcloud.com</host>
            <ldap_port>389</ldap_port>
            <ldap_urltype>STARTTLS Encrypted</ldap_urltype>
            <ldap_protver>3</ldap_protver>
            <ldap_scope>one</ldap_scope>
            <ldap_basedn><![CDATA[ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com]]></ldap_basedn>
            <ldap_authcn><![CDATA[ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com]]></ldap_authcn>
            <ldap_extended_enabled>yes</ldap_extended_enabled>
            <ldap_extended_query><![CDATA[&amp;(objectClass=inetOrgPerson)(memberOf=cn=VPN,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)]]></ldap_extended_query>
            <ldap_attr_user><![CDATA[uid]]></ldap_attr_user>
            <ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
            <ldap_attr_member><![CDATA[member]]></ldap_attr_member>
            <ldap_attr_groupobj><![CDATA[groupOfNames]]></ldap_attr_groupobj>
            <ldap_pam_groupdn></ldap_pam_groupdn>
            <ldap_binddn><![CDATA[uid=binddn,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com]]></ldap_binddn>
            <ldap_bindpw><![CDATA[secret_squirrel_bind_password]]></ldap_bindpw>
            <ldap_timeout>25</ldap_timeout>
            <ldap_rfc2307_userdn></ldap_rfc2307_userdn>
        </authserver>
Actions
Copy link
 #5

Updated by Chris Linstruth 2 months ago

.

Actions
Copy link
 #6

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Feedback

The PR above was merged a while ago, needs re-tested.

If there is still a problem this should be moved to 22.09 so we have more time to work out the details.

Actions
Copy link
 #7

Updated by Chris Linstruth 29 days ago

I think this is probably still not right.

Actions
Copy link
 #8

Updated by Chris Linstruth 29 days ago

Extended query works.

RFC2307 groups work.

Authentication fails when both are enabled.

The site I'm testing against is SSL so I have no visibility. I need to spin up another LDAP server that supports memberOf to test it in-the-clear which is a non-trivial project.

Actions
Copy link
 #9

Updated by Jim Pingle 29 days ago

  • Status changed from Feedback to In Progress
  • Assignee changed from Viktor Gurov to Chris Linstruth
  • Plus Target Version changed from 22.05 to 22.09

OK, we'll nudge this forward for now and proceed once we have more detail.

Actions
Copy link
 #10

Updated by Jim Pingle about 14 hours ago

  • Plus Target Version changed from 22.09 to 22.11
Actions
Copy link
 #11

Updated by Chris Linstruth about 9 hours ago

OK. It looks like it is combining the RFC2307 query and the extended query into something that cannot match when both extended query and RFC2307 groups are enabled. This is after the initial DN search and bind as the authenticating user. In other words, during the extended query. Since this must return success for the extended query to work, it always fails.

Filter: (&(member=uid=cjl,cn=users,cn=accounts,dc=example,dc=com)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))

The extended query is set to memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com and member is the RFC2307 group attribute that is in the posixGroup entries. Both of those filters will never match a posixUser entry.

I believe it should initially filter on (&(DN_RETURNED_BY_INITIAL_SEARCH)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))

Then it should move on to processing the RFC2307 group memberships.

Actions
Copy link
 #12

Updated by Chris Linstruth about 8 hours ago

(&(DN_RETURNED_BY_INITIAL_SEARCH)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))

That doesn't work. The DN doesn't match.

This works: (&(uid=cjl)(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com))

I don't know if that's too broad - possibly including other entries.

Uncle Internet says to do this to limit the search to one DN:

ldapsearch -x -D 'uid=binduser,cn=sysaccounts,cn=etc,dc=example,dc=com' -b 'uid=cjl,cn=users,cn=accounts,dc=example,dc=com' -s base -W '(memberOf=cn=nextcloud,cn=groups,cn=accounts,dc=example,dc=com)'

Actions
Copy link

Also available in: Atom PDF