LDAP group checking stopping before the whole group list is checked

[Alan DeKok]

On Jun 10, 2019, at 8:20 AM, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
> 
> I'm having an issue with ldap group checking where FreeRADIUS appears to bail out early if it encounters a group DN it can't resolve.
> 
> The LDAP server (FreeIPA) has a very restrictive set of ACL's; the group which cannot be resolved (Replication Administrators) is not readable by standard accounts. I'd like to avoid messing with the ACL's, or granting FreeRADIUS more privileges if possible.

  That makes sense.

> If I run ldapsearch, the group I'm looking for is definitely in the memberOf list.

  If you run ldapsearch with the right set of permissions.

> Can I get it to continue reading the list of groups if it fails to resolve one, or is this intended (or something I've screwed up in the config)?

  You'll have to hack the source.

  It's difficult to tell that this error:
 
> ...
> (3)  ERROR:       Group DN "cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to an object

  is a permissions error, and not a "database broken" error.

  A *sane* database would check the ACLs, and simply not return that DN as a list of valid group DNs.

  It's not clear how to work around this issue.  We could simply skip that group DN, but doing so may have other side effects.  I'll have to check with Arran on this.

  The preferable solution would be for the DB to not lie to FreeRADIUS. :(

  Alan DeKok.