FLAG_USE_MEMBEROF is being ignored

[achurak]

Hello,

I've been trying to make tac_plus-ng work with openldap for a while now but all my attempts to use group membership to assign user profiles have failed so far. We have memberof overlay enabled on the ldap side and I can see my groups membership returned when I run ldapsearch while requesting memberof attribute specifically or all atributes (+), however I'm not able to use memberof conditions in the rulesets and tactrace.pl doesn't show any groups being returned/used:

192.168.1.1 looking for user achurak in MAVIS backend
192.168.1.1 user found by MAVIS backend, av pairs:
  USER                achurak
  DN                  uid=achurak,ou=users,dc=example,dc=com
  IPADDR              1.2.3.4
  SERVERIP            192.168.1.1
  REALM               default
  IDENTITY_SOURCE     1
192.168.1.1 ACL from-localhost: no match
192.168.1.1 achurak@1.2.3.4: ACL from-localhost: <unknown> (profile: n/a)
192.168.1.1 achurak@192.168.1.1: svcname=shell protocol= denied

My config looks like this:

mavis module = groups {
        resolve gids = yes
        resolve gid = yes
        groups filter = /^(netadmins|guest|readonly|netops|devops)$/
        memberof filter = /^CN=tacacs_/ # use this as a prefix
    }

mavis module = external {
        setenv LDAP_SERVER_TYPE = "generic"
        setenv LDAP_HOSTS = "x.x.x.x:389 x.x.x.x:389"
        setenv LDAP_BASE = "dc=example,dc=com"
        setenv LDAP_SCOPE = sub
        setenv LDAP_USER = "cn=user,dc=example,dc=com"
        setenv LDAP_PASSWD = "secret"
        setenv FLAG_USE_MEMBEROF = 1
        setenv LDAP_FILTER = "(uid=%s)"
        setenv TACACS_GROUP_PREFIX = "tacacs_"
        setenv USE_TLS = 1
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
    }

    user backend = mavis
    login backend = mavis
    pap backend = mavis

profile readwrite {
    script {
        if (service == shell) {
            if (cmd == "") {
                set priv-lvl = 15
                permit
            }
        }
    }
}

group netadmins

ruleset {
    rule from-localhost {
        enabled = yes
        script {
            if (memberof =~ /^cn=tacacs_netadmins,/) {
                profile = readwrite
                permit
            }
        }
    }
}

What am I doing wrong? Most examples and documentation show MS AD as a MAVIS backend, so there's not a lot of information available around openldap integration unfortunately.

[MarcJHuber]

Hi,

does

printf "0 TACPLUS\n4 achurak\n49 INFO\n=\n" | env \
        LDAP_SERVER_TYPE="generic" \
        LDAP_HOSTS="x.x.x.x:389 x.x.x.x:389" \
        LDAP_BASE="dc=example,dc=com" \
        LDAP_USER="cn=user,dc=example,dc=com" \
        LDAP_PASSWD="secret" \
        FLAG_USE_MEMBEROF=1 \
        TACACS_GROUP_PREFIX="tacacs_" \
        USE_TLS=1 \
        /usr/local/lib/mavis/mavis_tacplus_ldap.pl

display the memberOf DNs (attribute id: 1)?

Cheers,

Marc

[achurak]

Doesn't look like it:

0 TACPLUS
4 achurak
5 uid=achurak,ou=users,dc=example,dc=com
6 ACK
49 INFO
=0

But when I run ldapsearch I do see my group membership:

# ldapsearch -x -H ldap://x.x.x.x -ZZ -b "dc=example,dc=com" -D 'cn=user,dc=example,dc=com' -W uid=achurak memberof

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=achurak
# requesting: memberof 
#

# achurak, users, example.com
dn: uid=achurak,ou=users,dc=example,dc=com
memberOf: cn=netadmins,ou=groups,dc=example,dc=com

# search result
search: 3
result: 0 Success

[MarcJHuber]

Hi Alexey,

your "netadmins" group doesn't match your TACACS_GROUP_PREFIX . Please try

setenv TACACS_GROUP_PREFIX = ""

Cheers,

Marc

[achurak]

It worked! Thanks so much, Marc!

I didn't realize it was a mandatory parameter and had to be set to "" even if there's no prefix at all. I tried with it being unset and it didn't work either.