search

glauth / goklp

goklp: Golang OpenSSH Keys Ldap Provider for AuthorizedKeysCommand
Other
12 stars 1 forks source link

Lookup failure if group names match user names #2

Open natefoo opened 4 months ago

natefoo commented 4 months ago

In my case I have a user nate with primaryGroup nate, this results in two results for the (uid=$user) filtered query in goklp:

root@393f69f0-fec9-4a9f-9dc0-74f0da4beafc:~# ldapsearch -x -D uid=bind,cn=bind,dc=example,dc=org -b dc=example,dc=org -w dogood 'uid=nate'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: uid=nate
# requesting: ALL
#

# nate, users, example.org
dn: cn=nate,ou=users,dc=example,dc=org
cn: nate
uid: nate
description: nate
gidNumber: 2048
uniqueMember: uid=nate,cn=nate,ou=users,dc=example,dc=org
memberUid: nate
objectClass: posixGroup
objectClass: top

# nate, nate, users, example.org
dn: uid=nate,cn=nate,ou=users,dc=example,dc=org
uid: nate
uid: nate
givenName: Nate
sn: Coraor
ou: nate
uidNumber: 2048
accountStatus: active
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/zsh
homeDirectory: /home/nate
description: nate
gecos: nate
gidNumber: 2048
memberOf: cn=access,ou=groups,dc=example,dc=org
memberOf: cn=bonus,ou=groups,dc=example,dc=org
memberOf: cn=nate,ou=groups,dc=example,dc=org
shadowExpire: -1
shadowFlag: 134538308
shadowInactive: -1
shadowLastChange: 11000
shadowMax: 99999
shadowMin: -1
shadowWarning: 7
sshPublicKey: ssh-ed25519 AAAA...

# search result
search: 2
result: 0 Success

And thus goklp fails due to multiple results:

root@c80b3172-b6b5-479b-9c5b-aa9967a2b632:/opt/goklp/etc# sudo -u goklp /opt/goklp/etc/goklp nate
2024/06/19 18:31:29 Error in query while looking for keys for nate: Too many results found.
2024/06/19 18:31:29 Successfully found 0 keys for nate

This is related to https://github.com/glauth/glauth/issues/181 and the somewhat unusual duplication of groups into the users OU and DN construction choices.

This is easily worked around with the following additional filter:

diff --git a/goklp.go b/goklp.go
index 60dafd1..2c708c3 100644
--- a/goklp.go
+++ b/goklp.go
@@ -127,7 +127,7 @@ func (o *opts) ldapsearch() ([]string, error) {
        for _, server_url := range o.goklp_ldap_uris {
                q := query{
                        baseDN:     o.goklp_ldap_base_dn,
-                       filter:     fmt.Sprintf("(%s=%s)", o.goklp_ldap_user_attr, o.username),
+                       filter:     fmt.Sprintf("(&(%s=%s)(objectClass=posixAccount))", o.goklp_ldap_user_attr, o.username),
                        Attributes: []string{"sshPublicKey"},
                        user:       o.goklp_ldap_bind_dn,
                        passwd:     o.goklp_ldap_bind_pw,

But I do wonder if it would be a good idea to prevent groups from appearing under the users OU and sort out the DN issues in general.

Fusion commented 4 months ago

Ohhh damn. I am always amazed at, with all the complexities that exist in LDAP and its extensions, the biggest headaches are due to GLAuth attempting to simplify users and groups while remaining correct.

Thanks for bringing this up, though.

natefoo commented 4 months ago

I appreciate GLAuth's goal of simplification, it's why I'm planning to replace my small slapd setup with it! Unfortunately there are so many different client configurations and expectations.