LDAP, SASL GSSAPI, and group membership, rebind fails

Tom Carroll Thomas.Carroll at pnnl.gov
Thu Sep 29 21:50:14 CEST 2016 

Alan -

On 09/29/2016 12:39 PM, Alan DeKok wrote:
> Fix your LDAP server so that FreeRADIUS is allowed to search it.  Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS.

That doesn't explain it. Why does the server successfully bind and 
search for to find user DN, than fails to bind when searching for group 
DNs? See below.

Re-including freeradius -X output:
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Searching for user in group "IPMI Admins"
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Reserved connection (0)
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL XLAT
> Thu Sep 29 11:49:54 2016 : Debug: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree:
> Thu Sep 29 11:49:54 2016 : Debug: literal --> (sAMAccountName=
> Thu Sep 29 11:49:54 2016 : Debug: if {
> Thu Sep 29 11:49:54 2016 : Debug: 	attribute --> Stripped-User-Name
> Thu Sep 29 11:49:54 2016 : Debug: }
> Thu Sep 29 11:49:54 2016 : Debug: else {
> Thu Sep 29 11:49:54 2016 : Debug: 	attribute --> User-Name
> Thu Sep 29 11:49:54 2016 : Debug: }
> Thu Sep 29 11:49:54 2016 : Debug: literal --> )
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:    --> (sAMAccountName=johndoe)
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL LITERAL
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Performing search in "DC=example,DC=lab" with filter "(sAMAccountName=johndoe)", scope "sub"
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Waiting for search result...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://example.lab/CN=Configuration,DC=cybernet,DC=lab
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt    : Please enter your authorization name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result    : RADIUS1$@EXAMPLE.ORG
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : `???	*?H???????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : ????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  :
> SASL username: RADIUS1$@EXAMPLE.ORG
> SASL SSF: 56
> SASL data security layer installed.
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: User object found at DN "CN=johndoe,CN=Users,DC=example,DC=lab"
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Checking for user in group objects
> Thu Sep 29 11:49:54 2016 : Debug: (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn}))
> Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree:
> Thu Sep 29 11:49:54 2016 : Debug: literal --> (&(cn=IPMI Admins)(objectClass=group)(member=
> Thu Sep 29 11:49:54 2016 : Debug: attribute --> LDAP-UserDN
> Thu Sep 29 11:49:54 2016 : Debug: literal --> ))
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   EXPAND (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn}))
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:      --> (&(cn=IPMI Admins)(objectClass=group)(member=CN\3djohndoe\2cCN\3dUsers\2cDC\3dexample\2cDC\3dlab))
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   EXPAND TMPL LITERAL
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL challenge : Authorization Name
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL prompt    : Please enter your authorization name
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL result    : RADIUS1$@EXAMPLE.ORG
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL response  : `???	*?H???????
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL response  : ????
> Thu Sep 29 11:49:54 2016 : ERROR: (0) files:   Bind with (anonymous) to ldap://ad1.example.lab:389 failed: Strong(er) authentication required
> Thu Sep 29 11:49:54 2016 : ERROR: (0) files:   Server said: SASL:[GSSAPI]: Sign or Seal are required..
> Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Deleting connection (0)
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap: Closing libldap handle 0xb46810
> Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Need 6 more connections to reach 10 spares
> Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Connecting to ldap://ad1.example.lab:389
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): New libldap handle 0xb46810
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt    : Please enter your authorization name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result    : RADIUS1$@EXAMPLE.ORG
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : `???	*?H???????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : ????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  :
> SASL username: RADIUS1$@EXAMPLE.ORG
> SASL SSF: 56
> SASL data security layer installed.
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: User is not a member of "IPMI Admins"






-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 35911 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160929/3ffdac9c/attachment-0001.bin>

More information about the Freeradius-Users mailing list