Project

General

Profile

Actions

Bug #13093

open

LDAP authentication fails with extended query and RFC2307 group lookups enabled

Added by Chris Linstruth almost 2 years ago. Updated over 1 year ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

LDAP authentication fails with extended query and RFC2307 group lookups enabled

With Extended Query On and RFC2307 Groups off (Works):

First (Why is it searching that base?):

Base
uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(uid=testuser)
Number of Results
0

Then:

Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(&(uid=testuser)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))
Number of Results
1

Then:

Bind to:
User testuser authenticated successfully. This user is a member of groups:

With Extended Query off and RFC2307 Groups on, Use DN for username search on (Works):

First:

bind to 
Distinguished Name
uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Successful

Then:

Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(uid=testuser)
Number of Results
1

Then (Yes, it was logged twice):

Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(uid=testuser)
Number of Results
1

Then:

Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(&(objectClass=groupOfNames)(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com))
Number of Results
3
User testuser authenticated successfully. This user is a member of groups:
Nextcloud
VPN

With Extended Query on and RFC2307 Groups on, Use DN for username search on (Fails):

Base
ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com
Search Filter
(&(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))
Number of Results
0
The following input errors were detected:
Authentication failed.

This looks like it is putting the extended query where it does not belong. It also looks like it is searching for the user as if it was a group with the member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com query but it's also setting an objectClass=inetOrgPerson which is never going to succeed.

To me it should perform the user search with the extended query to get the DN then use that DN to search groupOfNames for the member=

Seems like it should test the bind to authenticate the user before the group search just to save unnecessary lookups if the authentication is just going to fail.

One should be able to use an extended query to limit the users to a specific group and do a query to get the list of groups the user is a member of. That does not look to be possible currently.


Related issues

Related to Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers.ResolvedSteve Powers05/16/2019

Actions
Actions

Also available in: Atom PDF