search

MarcJHuber / event-driven-servers

A collection of event-driven servers (currently: tac_plus, tac_plus-ng, ftpd, tcprelay)
https://www.pro-bono-publico.de/projects
Other
98 stars 25 forks source link

tac_plus-ng external-mt using libmavis-mt, doesn't fall through to fallback accounts when LDAP unavailable #98

Closed sanjmonkey closed 3 months ago

sanjmonkey commented 3 months ago

Hi Marc!

I have a working tac_plus-ng mavis external configuration using mavis_tacplus-ng_ldap.pl and am looking to migrate to external-mt using libmavis-mt to test for any performance gains, and also to support non-blocking on slow to respond backends such as 2fa. However, I've noticed the fallback behaviour doesn't seem to work when using external-mt / libmavis-mt. Heres a snip of config:

Example snip of working with external:

id = tac_plus-ng {
    authentication fallback = permit

    mavis module external {
        setenv LDAP_SERVER_TYPE = "microsoft"
        ... (other LDAP options) ...
        exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
    }

    group fallbackgroup
    user fallbackuser {
        fallback-only
        password login = crypt XXX
        member fallbackgroup
    }

Debug output for an authentication request for the fallbackuser when LDAP not available shows:

  looking for user fallbackuser in MAVIS backend
  Entering emergency mode
  result for user fallbackuser is ERR
  looking for user fallbackuser realm default
  user lookup succeded

And everything is fine...

Example snip of not working fallback with external-mt:

id = tac_plus-ng {
    authentication fallback = permit

    mavis module external-mt {
        ... (LDAP options) ...
        exec = /usr/local/sbin/libmavis-mt
    }

    group fallbackgroup
    user fallbackuser {
        fallback-only
        password login = crypt XXX
        member fallbackgroup
    }

Debug output for an authentication request for the fallbackuser when LDAP not available shows:

  looking for user fallbackuser in MAVIS backend
  result for user fallbackuser is NFD
  looking for user fallbackuser realm default
  user lookup failed

And we dont get our fallbackuser logged in.

I haven't checked other parts of libmavis-mt in much depth yet, but just a guess, could this be a hangup of not implementing TAC_PLUS_AUTHEN_STATUS_ERROR in libmavis-mt, as mentioned in https://github.com/MarcJHuber/event-driven-servers/issues/71 ?

Love the projects! ❤️

Cheers Sandy

MarcJHuber commented 3 months ago

Hi Sandy,

I hadn't thought of that, thanks for reporting. Could you please check whether ldapmavis.patch fixes that issue? I think that's sufficient to properly propagate the error status back to tac_plus-ng.

Thanks,

Marc

sanjmonkey commented 3 months ago

That patch works perfectly, thanks Marc.

I confirm that now when using ldapmavis-mt and simulating LDAP failure:

Nice!

MarcJHuber commented 3 months ago

Hi Sandy,

thanks for testing! I'll commit that patch.

Cheers,

Marc