rlm_ldap fails but ldapsearch works

Victor vik_viktor at yahoo.com
Sun Aug 2 22:03:33 CEST 2020


Hello Uwe,

The attribute is not set, but it's the default. Anyway tried with name_attribute = cn, the result is the same.

cn is the identifier of the group and its members are listed with "member: uid=":
# ipausers, groups, accounts, xxxx.local
dn: cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb53e
member: uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local
...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The filter is: (&(cn=ipausers)(member=uid\3dbaseuser\2ccn\3dusers\2ccn\3daccounts\2cdc\3dxxxx\2cdc\3dlocal))

Victor








 On Sunday, August 2, 2020, 04:01:59 PM UTC, <uj2.hahn at posteo.de> wrote:





 Victor,
did you set the
name_attribute = cn (or ou) in ldap module correctly?

Regards
Uwe


On 02.08.2020 16:47, Victor via Freeradius-Users wrote:
> Hello Alan,
>
> Well, from the wireshark LDAP protocol decode:
>
> -the answer to rlm_ldap:
>
> Lightweight Directory Access Protocol
>      LDAPMessage searchResDone(6) success [2 results]
>          messageID: 6
>          protocolOp: searchResDone (5)
>              searchResDone
>                  resultCode: success (0)
>                  matchedDN:
>                  errorMessage:
>          [Response To: 16]
>          [Time: 0.000694000 seconds]
>
> -the answer to ldapsearch:
>
> Lightweight Directory Access Protocol
>      LDAPMessage searchResEntry(2) "cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local" [1 result]
>          messageID: 2
>          protocolOp: searchResEntry (4)
>              searchResEntry
>                  objectName: cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local
>                  attributes: 5 items
>                      PartialAttributeList item objectClass
>                          type: objectClass
>                          vals: 5 items
>                              AttributeValue: top
>                              AttributeValue: groupofnames
>                              AttributeValue: nestedgroup
>                              AttributeValue: ipausergroup
>                              AttributeValue: ipaobject
>                      PartialAttributeList item description
>                          type: description
>                          vals: 1 item
>                              AttributeValue: Default group for all users
>                      PartialAttributeList item cn
>                          type: cn
>                          vals: 1 item
>                              AttributeValue: ipausers
>                      PartialAttributeList item ipaUniqueID
>                          type: ipaUniqueID
>                          vals: 1 item
>                              AttributeValue: c862bf44-d36b-11ea-84a9-3ed34312a8ce
>                      PartialAttributeList item member
>                          type: member
>                          vals: 1 item
>                              AttributeValue: uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local
>          [Response To: 8]
>          [Time: 0.001658000 seconds]
> Lightweight Directory Access Protocol
>      LDAPMessage searchResDone(2) success [1 result]
>          messageID: 2
>          protocolOp: searchResDone (5)
>              searchResDone
>                  resultCode: success (0)
>                  matchedDN:
>                  errorMessage:
>          [Response To: 8]
>          [Time: 0.001658000 seconds]
>
>
> rlm_ldap clearly doesn't get the same answer, almost to the same request (timeLimit differs):
>
> -from rlm_ldap:
> Lightweight Directory Access Protocol
>      LDAPMessage searchRequest(6) "dc=xxxx,dc=local" wholeSubtree
>          messageID: 6
>          protocolOp: searchRequest (3)
>              searchRequest
>                  baseObject: dc=xxxx,dc=local
>                  scope: wholeSubtree (2)
>                  derefAliases: neverDerefAliases (0)
>                  sizeLimit: 0
>                  timeLimit: 10
>                  typesOnly: False
>                  Filter: (&(cn=ipausers)(member=uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local))
>                  attributes: 0 items
>          [Response In: 17]
>
> -from ldapsearch:
>
> Lightweight Directory Access Protocol
>      LDAPMessage searchRequest(2) "dc=xxxx,dc=local" wholeSubtree
>          messageID: 2
>          protocolOp: searchRequest (3)
>              searchRequest
>                  baseObject: dc=xxxx,dc=local
>                  scope: wholeSubtree (2)
>                  derefAliases: neverDerefAliases (0)
>                  sizeLimit: 0
>                  timeLimit: 0
>                  typesOnly: False
>                  Filter: (&(cn=ipausers)(member=uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local))
>                  attributes: 0 items
>          [Response In: 9]
>
> The bind user is the same:
>
> Lightweight Directory Access Protocol
>      LDAPMessage bindRequest(4) "uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local" simple
>          messageID: 4
>          protocolOp: bindRequest (0)
>              bindRequest
>          [Response In: 14]
>
>
> Thanks again
>
>
>
>
>
>
>
>  On Saturday, August 1, 2020, 01:57:40 PM UTC, Alan DeKok <aland at deployingradius.com> wrote:
>
>
>
>
>
>  On Jul 29, 2020, at 12:24 PM, Victor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Hello,
>>
>> I'm trying to check whether a user belongs to a group or not:
>> ...
>> but
>>
>> ldapsearch  -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
>    See mods-available/ldap in recent releases.  It has detailed instructions for how to turn the FreeRADIUS configuration items into ldapsearch arguments.
>
>    There's no real magic here.  If FR returns different data than ldapsearch, then the only cause is that the searches are different.  i.e. search string, name/password used to search, etc.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list