Project

General

Profile

Actions
Copy link

Bug #6825

closed

LDAP RFC2307 bug in 2.3.2

Added by dave hache over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
09/29/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:

Description

Hello,
Seems there is still a bug with the RFC2307 standard in 2.3.2's ldap config.

I setup the LDAP configuration and it doesn't accept to search within the group with the memberUid on one of my firewalls running 2.3.2.

Here is what I see on my ldap server after i test ldap with the initial config in the attached picture.

conn=3804 op=2 SRCH base="cn=groups,cn=compat,dc=grenadine,dc=juicy" scope=2 filter="(&(uid=dave)(cn=grenadineadmins))" attrs=ALL
I tried variants but it always adds the uid instead of the memberUid.
SRCH base="cn=groups,cn=compat,dc=grenadine,dc=juicy" scope=2 filter="(&(uid=dave)(&(objectClass=posixGroup)(cn=grenadineadmins*)))" attrs=ALL

When i go back to the config,and remove the extended query, here is the query that is successfull.

conn=3809 op=1 SRCH base="cn=users,cn=accounts,dc=grenadine,dc=juicy" scope=2 filter="(uid=dave)" attrs=ALL

I wish pfsense's query would look more like so... This is the query Graylog does. I have attached it's query.
conn=4405 op=1 SRCH base="cn=users,cn=accounts,dc=grenadine,dc=juicy" scope=2 filter="(&(objectClass=inetOrgPerson)(uid=dave))" attrs="cn * distinguishedName uid userprincipalname mail mail memberOf ismemberof aci"

Seems pfsense doesn't use the RFC2307 checkbox.

Files

Initial Config.JPG (99.7 KB) Initial Config.JPG Initial Config dave hache, 09/29/2016 08:30 AM
Actions
Copy link
 #1

Updated by dave hache over 8 years ago

Correction on the query...

ldapsearch -h prodipa-mtl03 -b "cn=groups,cn=compat,dc=grenadine,dc=juicy" -x '(&(cn=grenadineadmins)(memberuid=dave))'

  1. extended LDIF #
  2. LDAPv3
  3. base <cn=groups,cn=compat,dc=grenadine,dc=juicy> with scope subtree
  4. filter: (&(cn=grenadineadmins)(memberuid=dave))
  5. requesting: ALL #
  1. grenadineadmins, groups, compat, grenadine.juicy
    dn: cn=grenadineadmins,cn=groups,cn=compat,dc=grenadine,dc=juicy
    gidNumber: 524400003
    memberUid: dave
    memberUid: balen
    memberUid: phil
    objectClass: posixGroup
    objectClass: ipaOverrideTarget
    objectClass: ipaexternalgroup
    objectClass: top
    ipaAnchorUUID:: OklQQTpncmVuYWRpbmUuanVpY3k6NGFlNTM2OTYtODRjOC0xMWU2LThmNTQtMD
    AwYzI5MzFlNTY5
    cn: grenadineadmins
  1. search result
    search: 2
    result: 0 Success
  1. numResponses: 2
  2. numEntries: 1
Actions
Copy link
 #2

Updated by Jim Pingle over 8 years ago

  • Status changed from New to Rejected
  • Target version deleted (2.3.2-p1)

Please start a forum on the thread for discussion until a definite bug is identified. It's more likely there is some option not configured correctly or some incompatibility with your LDAP schema.

RFC 2307 support does work for me against OpenLDAP, it locates groups correctly and I've not had a problem with it on 2.3.x here.

Actions
Copy link

Also available in: Atom PDF