rlm_ldap fails but ldapsearch works
Victor
vik_viktor at yahoo.com
Sun Aug 2 16:47:02 CEST 2020
Hello Alan,
Well, from the wireshark LDAP protocol decode:
-the answer to rlm_ldap:
Lightweight Directory Access Protocol
LDAPMessage searchResDone(6) success [2 results]
messageID: 6
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 16]
[Time: 0.000694000 seconds]
-the answer to ldapsearch:
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local" [1 result]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local
attributes: 5 items
PartialAttributeList item objectClass
type: objectClass
vals: 5 items
AttributeValue: top
AttributeValue: groupofnames
AttributeValue: nestedgroup
AttributeValue: ipausergroup
AttributeValue: ipaobject
PartialAttributeList item description
type: description
vals: 1 item
AttributeValue: Default group for all users
PartialAttributeList item cn
type: cn
vals: 1 item
AttributeValue: ipausers
PartialAttributeList item ipaUniqueID
type: ipaUniqueID
vals: 1 item
AttributeValue: c862bf44-d36b-11ea-84a9-3ed34312a8ce
PartialAttributeList item member
type: member
vals: 1 item
AttributeValue: uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local
[Response To: 8]
[Time: 0.001658000 seconds]
Lightweight Directory Access Protocol
LDAPMessage searchResDone(2) success [1 result]
messageID: 2
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 8]
[Time: 0.001658000 seconds]
rlm_ldap clearly doesn't get the same answer, almost to the same request (timeLimit differs):
-from rlm_ldap:
Lightweight Directory Access Protocol
LDAPMessage searchRequest(6) "dc=xxxx,dc=local" wholeSubtree
messageID: 6
protocolOp: searchRequest (3)
searchRequest
baseObject: dc=xxxx,dc=local
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 10
typesOnly: False
Filter: (&(cn=ipausers)(member=uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local))
attributes: 0 items
[Response In: 17]
-from ldapsearch:
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "dc=xxxx,dc=local" wholeSubtree
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: dc=xxxx,dc=local
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (&(cn=ipausers)(member=uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local))
attributes: 0 items
[Response In: 9]
The bind user is the same:
Lightweight Directory Access Protocol
LDAPMessage bindRequest(4) "uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local" simple
messageID: 4
protocolOp: bindRequest (0)
bindRequest
[Response In: 14]
Thanks again
On Saturday, August 1, 2020, 01:57:40 PM UTC, Alan DeKok <aland at deployingradius.com> wrote:
On Jul 29, 2020, at 12:24 PM, Victor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hello,
>
> I'm trying to check whether a user belongs to a group or not:
> ...
> but
>
> ldapsearch -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
See mods-available/ldap in recent releases. It has detailed instructions for how to turn the FreeRADIUS configuration items into ldapsearch arguments.
There's no real magic here. If FR returns different data than ldapsearch, then the only cause is that the searches are different. i.e. search string, name/password used to search, etc.
Alan DeKok.
More information about the Freeradius-Users
mailing list