LDAP group checking stopping before the whole group list is checked

Adam Bishop Adam.Bishop at jisc.ac.uk
Mon Jun 10 14:20:15 CEST 2019 

I'm having an issue with ldap group checking where FreeRADIUS appears to bail out early if it encounters a group DN it can't resolve.

The LDAP server (FreeIPA) has a very restrictive set of ACL's; the group which cannot be resolved (Replication Administrators) is not readable by standard accounts. I'd like to avoid messing with the ACL's, or granting FreeRADIUS more privileges if possible.

If I run ldapsearch, the group I'm looking for is definitely in the memberOf list.

Can I get it to continue reading the list of groups if it fails to resolve one, or is this intended (or something I've screwed up in the config)?

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

---

# raddebug
(3)  Debug: Received Access-Request Id 154 from [1:2:3:4:5::6]:55794 to [1:2:3:4:5::7]:1812 length 93
(3)  Debug:   User-Name = "adam"
(3)  Debug:   User-Password = "asdf"
(3)  Debug:   NAS-Identifier = "esw-001"
(3)  Debug:   Calling-Station-Id = "8.8.8.8"
(3)  Debug:   NAS-IPv6-Address = 1:2:3:4:5::6
(3)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/infrastructure
(3)  Debug:   authorize {
(3)  Debug:     update request {
(3)  Debug:     } # update request = noop
(3)  Debug: ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3)  Debug: ldap:    --> (uid=adam)
(3)  Debug: ldap: Performing search in "cn=users,cn=accounts,dc=example,dc=org" with filter "(uid=adam)", scope "sub"
(3)  Debug: ldap: Waiting for search result...
(3)  Debug: ldap: User object found at DN "uid=adam,cn=users,cn=accounts,dc=example,dc=org"
(3)  Debug: ldap: Processing user attributes
(3)  Debug:     [ldap] = ok
(3)  Debug:     if ((ok || updated) && User-Password) {
(3)  Debug:     if ((ok || updated) && User-Password)  -> TRUE
(3)  Debug:     if ((ok || updated) && User-Password)  {
(3)  Debug:       update {
(3)  Debug:       } # update = noop
(3)  Debug:     } # if ((ok || updated) && User-Password)  = noop
(3)  Debug:     if (&LDAP-Group[*] == "%{client:ldap_group}") {
(3)  Debug:     EXPAND %{client:ldap_group}
(3)  Debug:        --> switching-admins
(3)  Debug:     Searching for user in group "switching-admins"
(3)  Debug:     Using user DN from request "uid=adam,cn=users,cn=accounts,dc=example,dc=org"
(3)  Debug:     Checking user object's memberOf attributes
(3)  Debug:       Performing unfiltered search in "uid=adam,cn=users,cn=accounts,dc=example,dc=org", scope "base"
(3)  Debug:       Waiting for search result...
(3)  Debug:     Processing memberOf value "cn=servicea-admins,cn=groups,cn=accounts,dc=example,dc=org" as a DN
(3)  Debug:       Resolving group DN "cn=servicea-admins,cn=groups,cn=accounts,dc=example,dc=org" to group name
(3)  Debug:       Performing unfiltered search in "cn=servicea-admins,cn=groups,cn=accounts,dc=example,dc=org", scope "base"
(3)  Debug:       Waiting for search result...
(3)  Debug:       Group DN "cn=servicea-admins,cn=groups,cn=accounts,dc=example,dc=org" resolves to name "servicea-admins"
(3)  Debug:     Processing memberOf value "cn=serviceb-admins,cn=groups,cn=accounts,dc=example,dc=org" as a DN
(3)  Debug:       Resolving group DN "cn=serviceb-admins,cn=groups,cn=accounts,dc=example,dc=org" to group name
(3)  Debug:       Performing unfiltered search in "cn=serviceb-admins,cn=groups,cn=accounts,dc=example,dc=org", scope "base"
(3)  Debug:       Waiting for search result...
(3)  Debug:       Group DN "cn=serviceb-admins,cn=groups,cn=accounts,dc=example,dc=org" resolves to name "serviceb-admins"


<snip 10+ other groups>


(3)  Debug:     Processing memberOf value "cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=org" as a DN
(3)  Debug:       Resolving group DN "cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=org" to group name
(3)  Debug:       Performing unfiltered search in "cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=org", scope "base"
(3)  Debug:       Waiting for search result...
(3)  Debug:       Search returned no results
(3)  ERROR:       Group DN "cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to an object
(3)  Debug:     User is not a member of "switching-admins"
(3)  Debug:     if (&LDAP-Group[*] == "%{client:ldap_group}")  -> FALSE
(3)  Debug:     else {
(3)  Debug:       update reply {
(3)  Debug:       } # update reply = noop
(3)  Debug:       [reject] = reject
(3)  Debug:     } # else = reject
(3)  Debug:   } # authorize = reject
(3)  Debug: Using Post-Auth-Type Reject
(3)  Debug: # Executing group from file /etc/raddb/sites-enabled/infrastructure
(3)  Debug:   Post-Auth-Type REJECT {
(3)  Debug: attr_filter.access_reject: EXPAND %{User-Name}
(3)  Debug: attr_filter.access_reject:    --> adam
(3)  Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)  Debug:     [attr_filter.access_reject] = updated
(3)  Debug:     [eap] = noop
(3)  Debug: rp_log: EXPAND rp_log.%{%{reply:Packet-Type}:-format}
(3)  Debug: rp_log:    --> rp_log.Access-Reject
(3)  Debug: rp_log: EXPAND radiusd-rp-log#DOMAIN=VIRT#LOCATION=ATL#SERVICE=%{%{Service-Class}:-NONE}#ORG=%{%{request:operator-name}:-%{request:Stripped-User-Domain}}#USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{reply:Chargeable-User-Identity}#RESULT=FAIL#VLAN=%{%{reply:Tunnel-Private-Group-ID}:-NONE}#CLIENT=%{client:shortname}#REPLY_MESSAGE=%{%{reply:reply-message}:-NONE}#MODULE_MESSAGE=%{%{%{request:Module-Failure-Message}:-%{session-state:Module-Failure-Message}}:-NONE}#
(3) Mon Jun 10 01:17:34 2019: Debug: rp_log:    --> radiusd-rp-log#DOMAIN=VIRT#LOCATION=ATL#SERVICE=infrastructure#ORG=#USER=adam#CSI=8.8.8.8#NAS=#CUI=#RESULT=FAIL#VLAN=NONE#CLIENT=esw-001.inf#REPLY_MESSAGE=Not Authorised#MODULE_MESSAGE=Group DN "cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to an object#
(3)  Debug:     [rp_log] = ok
(3)  Debug:     policy remove_reply_message_if_eap {
(3)  Debug:       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)  Debug:       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)  Debug:       else {
(3)  Debug:         [noop] = noop
(3)  Debug:       } # else = noop
(3)  Debug:     } # policy remove_reply_message_if_eap = noop
(3)  Debug:   } # Post-Auth-Type REJECT = updated
(3)  Debug: Delaying response for 1.000000 seconds
(3)  Debug: Sending delayed response
(3)  Debug: Sent Access-Reject Id 154 from [1:2:3:4:5::7]:1812 to [1:2:3:4:5::6]:55794 length 36
(3)  Debug:   Reply-Message := "Not Authorised"
(3)  Debug: Cleaning up request packet ID 154 with timestamp +1036

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list