Discussion:
LDAP module unable to resolve a memberOf attribute
(too old to reply)
Martin Gignac
2018-11-17 01:11:03 UTC
Permalink
Hi,

I'm currently in the process of integration FreeRADIUS with 802.1x
(EAP-TTLS/PAP) and FreeIPA (LDAP). If I don't perform group membership
checking credential verification is working just fine. But when I try to
validate membership of a user to an LDAP group it's failing during the
check of the "groupOf" attribute. The user I am testing (
*"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"*) is member to many
groups (*"cn=XXXX,cn=groups,cn=accounts,dc=example,dc=org"*) in FreeIPA,
and also has admin rights to the server so has many entries in the
style *"cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* (for example).

As FreeRADIUS goes down the list of groups to resolve the DN to a group
name for comparison it seems to hit a wall with the second entry in the
list. I thinking it could be because of the space in the first CN portion.
It then returns the message *"ERROR: Group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
an object"*.

(0) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(0) post-auth {
(0) if (LDAP-Group == "aaa-admins") {
(0) Searching for user in group "aaa-admins"
rlm_ldap (ldap): Reserved connection (2)
(0) Using user DN from request
"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in
"uid=rolo,cn=users,cn=accounts,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Processing memberOf value
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org" as a DN
(0) Resolving group DN
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org" to group name
(0) Performing unfiltered search in
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Group DN "cn=admins,cn=groups,cn=accounts,dc=example,dc=org"
resolves to name "admins"
(0) Processing memberOf value "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" as a DN
(0) Resolving group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" to group name
(0) Performing unfiltered search in "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Search returned no results
(0) ERROR: Group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
an object
rlm_ldap (ldap): Released connection (2)

Using a standard 'ldapsearch' on the command line I *am* able to retrieve
the *"cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* object
successfully, so I'm not sure why it said it does not resolve to an object.

I tried taking a look at src/modules/rlm_ldap/groups.c and
src/modules/rlm_ldap/ldap.c but, not being a C programmer, I got lost
fairly quickly.

Is it the space that's causing the error (that's all I can see)?

Thanks,
-Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Martin Gignac
2018-11-18 13:25:04 UTC
Permalink
*sigh*, investigating the issue further I realized this was due to a stupid
mistake on my part.

Sorry for the noise,
-Martin
Post by Martin Gignac
Hi,
I'm currently in the process of integration FreeRADIUS with 802.1x
(EAP-TTLS/PAP) and FreeIPA (LDAP). If I don't perform group membership
checking credential verification is working just fine. But when I try to
validate membership of a user to an LDAP group it's failing during the
check of the "groupOf" attribute. The user I am testing (
*"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"*) is member to many
groups (*"cn=XXXX,cn=groups,cn=accounts,dc=example,dc=org"*) in FreeIPA,
and also has admin rights to the server so has many entries in the style *"cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* (for example).
As FreeRADIUS goes down the list of groups to resolve the DN to a group
name for comparison it seems to hit a wall with the second entry in the
list. I thinking it could be because of the space in the first CN portion.
It then returns the message *"ERROR: Group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
an object"*.
(0) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(0) post-auth {
(0) if (LDAP-Group == "aaa-admins") {
(0) Searching for user in group "aaa-admins"
rlm_ldap (ldap): Reserved connection (2)
(0) Using user DN from request
"uid=rolo,cn=users,cn=accounts,dc=example,dc=org"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in
"uid=rolo,cn=users,cn=accounts,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Processing memberOf value
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org" as a DN
(0) Resolving group DN
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org" to group name
(0) Performing unfiltered search in
"cn=admins,cn=groups,cn=accounts,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Group DN "cn=admins,cn=groups,cn=accounts,dc=example,dc=org"
resolves to name "admins"
(0) Processing memberOf value "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" as a DN
(0) Resolving group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" to group name
(0) Performing unfiltered search in "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org", scope "base"
(0) Waiting for search result...
(0) Search returned no results
(0) ERROR: Group DN "cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org" did not resolve to
an object
rlm_ldap (ldap): Released connection (2)
Using a standard 'ldapsearch' on the command line I *am* able to retrieve
the *"cn=Replication
Administrators,cn=privileges,cn=pbac,dc=example,dc=org"* object
successfully, so I'm not sure why it said it does not resolve to an object.
I tried taking a look at src/modules/rlm_ldap/groups.c and
src/modules/rlm_ldap/ldap.c but, not being a C programmer, I got lost
fairly quickly.
Is it the space that's causing the error (that's all I can see)?
Thanks,
-Martin
-
List info/subscribe/u

Loading...