search

F5Networks / f5-declarative-onboarding

F5 BIG-IP Declarative Onboarding
Apache License 2.0
58 stars 22 forks source link

Configuring Active Directory ldap-resource creates unneeded lines in nslcd.conf starting with pam_authz_search #250

Open vidarno opened 3 years ago

vidarno commented 3 years ago

Environment

Summary

Configuring AD authentication with DO creates lines starting with pam_authz_search in nslcd.conf that breaks group-membership lookup. Uncommenting these lines manually fixes remote authentication.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:

    "schemaVersion": "1.0.0",
"class": "Device",
"async": true,  
"label": "my BIG-IP declaration for declarative onboarding",
"Common": {
    "class": "Tenant",
    "myAuth": {
        "class": "Authentication",
        "enabledSourceType": "activeDirectory",
        "fallback": false,
        "remoteUsersDefaults": {
            "partitionAccess": "Common",
            "terminalAccess": "disabled",
            "role": "no-access"
        },            
        "ldap": {
            "bindDn": "CN=BigIP-SA,OU=ServiceAccounts,OU=BIG-IP,OU=Services,DC=foo,DC=bar,DC=com",
            "bindPassword": "hunter2",
            "bindTimeout": 30,
            "checkBindPassword": true,
            "checkRemoteRole": true,
            "filter": "(sAMAccountName=*)",
            "groupDn": "groupName",
            "groupMemberAttribute": "member",
            "idleTimeout": 30,
            "ignoreAuthInfoUnavailable": true,
            "ignoreUnknownUser": true,
            "loginAttribute": "sAMAccountName",
            "port": 636,
            "referrals": false,
            "searchScope": "sub",
            "searchBaseDn": "DC=foo,DC=bar,DC=com",
            "searchTimeout": 30,
            "servers": [
                "ad01.foo.bar.com",
                "ad02.foo.bar.com"
            ],
            "ssl": "enabled",                                
            "version": 3
        }
    },
    "Administrators": {
        "class": "RemoteAuthRole",
        "attribute": "memberOF=CN=F5-Admins,OU=Access,OU=Groups,DC=foo,DC=bar,DC=com",
        "console": "tmsh",
        "lineOrder": 1001,
        "role": "admin",
        "remoteAccess": true,
        "userPartition": "all"
    }

}
}

  2. Observe the following error response: After enabling LDAP debug (tmsh modify auth ldap all debug enabled), relevant lines from /var/log/secure

    Jul  9 15:02:58 mybigip.foo.bar.com info nslcd[23473]: nslcd: [3c9869] <authz="testuser"> DEBUG: ldap_simple_bind_s("CN=BigIP-SA,OU=ServiceAccounts,OU=BIG-IP,OU=Services,DC=foo,DC=bar,DC=com","***") (uri="ldaps://ad01.foo.bar.com:636")
Jul  9 15:02:58 mybigip.foo.bar.com info nslcd[23473]: nslcd: [3c9869] <authz="testuser"> DEBUG: set_socket_timeout(30,500000)
Jul  9 15:02:58 mybigip.foo.bar.com info nslcd[23473]: nslcd: [3c9869] <authz="testuser"> DEBUG: ldap_result(): CN=testuser,OU=Personal,OU=Internal,OU=Users,DC=foo,DC=bar,DC=com
Jul  9 15:02:58 mybigip.foo.bar.com info nslcd[23473]: nslcd: [3c9869] <authz="testuser"> DEBUG: trying pam_authz_search "(&(&(sAMAccountName=testuser)((sAMAccountName=*))(|(host=mybigip.foo.bar.com)(host=localhost.localdomain)(host=\*)))"
Jul  9 15:02:58 mybigip.foo.bar.com info nslcd[23473]: nslcd: [3c9869] <authz="testuser"> DEBUG: myldap_search(base="DC=foo,DC=bar,DC=com", filter="(&(&(sAMAccountName=testuser)((sAMAccountName=*))(|(host=mybigip.foo.bar.com)(host=localhost.localdomain)(host=\*)))")
Jul  9 15:02:58 mybigip.foo.bar.com info nslcd[23473]: nslcd: [3c9869] <authz="testuser"> ldap_search_ext() failed: Bad search filter

Expected Behavior

I should be able to login with a user in the specified RemoteAuthRole

Actual Behavior

I am not able to login, before I comment out these lines from /etc/nslcd.conf and restart nslcd service

pam_authz_search (&(&(sAMAccountName=$username)((sAMAccountName=))(|(host=$hostname)(host=$fqdn)(host=\)))

pam_authz_search (&(&(sAMAccountName=$username)((sAMAccountName=*))(member=groupName))

After that is done I am able to login as expected.

dstokesf5 commented 3 years ago

Declarative Onboarding does not directly modify the nslcd.conf file. It uses tmsh to modify auth ldap properties. Do you know what tmsh properties are tied to those lines in the configuration file?

dstokesf5 commented 3 years ago

This issue is being automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

vidarno commented 2 years ago

Sorry for the late reply, this issue is now resolved. By removing the following lines in the Terraform-configuration the lines starting with pam_authz_search were removed from nsld.conf; "checkBindPassword": true,

"filter": "(sAMAccountName=*)", "groupDn": "groupName", "groupMemberAttribute": "member",