LDAP module unable to resolve a memberOf attribute
Martin Gignac
martin.gignac at gmail.com
Sun Nov 18 14:25:04 CET 2018
*sigh*, investigating the issue further I realized this was due to a stupid
mistake on my part.
Sorry for the noise,
-Martin
On Fri, Nov 16, 2018 at 8:11 PM Martin Gignac <martin.gignac at gmail.com>
wrote:
> Hi,
>
> I'm currently in the process of integration FreeRADIUS with 802.1x
> (EAP-TTLS/PAP) and FreeIPA (LDAP). If I don't perform group membership
> checking credential verification is working just fine. But when I try to
> validate membership of a user to an LDAP group it's failing during the
> check of the "groupOf" attribute. The user I am testing (
> *"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"*) is member to many
> groups (*"cn=XXXX,cn=groups,cn=accounts,dc=example,dc=org"*) in FreeIPA,
> and also has admin rights to the server so has many entries in the style *"cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* (for example).
>
> As FreeRADIUS goes down the list of groups to resolve the DN to a group
> name for comparison it seems to hit a wall with the second entry in the
> list. I thinking it could be because of the space in the first CN portion.
> It then returns the message *"ERROR: Group DN "cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
> an object"*.
>
> (0) # Executing section post-auth from file
> /etc/raddb/sites-enabled/inner-tunnel
> (0) post-auth {
> (0) if (LDAP-Group == "aaa-admins") {
> (0) Searching for user in group "aaa-admins"
> rlm_ldap (ldap): Reserved connection (2)
> (0) Using user DN from request
> "uid=rolo,cn=users,cn=accounts,dc=example,dc=org"
> (0) Checking user object's memberOf attributes
> (0) Performing unfiltered search in
> "uid=rolo,cn=users,cn=accounts,dc=example,dc=org", scope "base"
> (0) Waiting for search result...
> (0) Processing memberOf value
> "cn=admins,cn=groups,cn=accounts,dc=example,dc=org" as a DN
> (0) Resolving group DN
> "cn=admins,cn=groups,cn=accounts,dc=example,dc=org" to group name
> (0) Performing unfiltered search in
> "cn=admins,cn=groups,cn=accounts,dc=example,dc=org", scope "base"
> (0) Waiting for search result...
> (0) Group DN "cn=admins,cn=groups,cn=accounts,dc=example,dc=org"
> resolves to name "admins"
> (0) Processing memberOf value "cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org" as a DN
> (0) Resolving group DN "cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org" to group name
> (0) Performing unfiltered search in "cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org", scope "base"
> (0) Waiting for search result...
> (0) Search returned no results
> (0) ERROR: Group DN "cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
> an object
> rlm_ldap (ldap): Released connection (2)
>
> Using a standard 'ldapsearch' on the command line I *am* able to retrieve
> the *"cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* object
> successfully, so I'm not sure why it said it does not resolve to an object.
>
> I tried taking a look at src/modules/rlm_ldap/groups.c and
> src/modules/rlm_ldap/ldap.c but, not being a C programmer, I got lost
> fairly quickly.
>
> Is it the space that's causing the error (that's all I can see)?
>
> Thanks,
> -Martin
>
>
More information about the Freeradius-Users
mailing list