ilf-S
commented
8 years ago duplicate of #117 , double posted somehow. sorry
Closed ilf-S closed 8 years ago
ilf-S
commented
8 years ago duplicate of #117 , double posted somehow. sorry
Hi,
It could very well be that I'm not doing something the right way, but it seems require group does not work with FreeIPA's 389 LDAP schema.
Here is my config:
ldap_server ipa1 { url "ldap://ipa1.int.domain.removed:389/cn=users,cn=accounts,dc=int,dc=domain,dc=removed?uid?sub?(ObjectClass=*)"; binddn "cn=Directory Manager"; binddn_passwd pass_removed; connect_timeout 5s; bind_timeout 5s; request_timeout 5s; group_attribute memberOf; group_attribute_is_dn off; satisfy all; require group "cn=devs,cn=groups,cn=accounts,dc=int,dc=domain,dc=removed"; require valid_user; }
2016/01/28 16:37:09 [debug] 17658#0: _3 http_auth_ldap: Username is "istoyanov" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=0, iteration=0) 2016/01/28 16:37:09 [debug] 17658#0: 3 event timer add: 19: 5000:1453991834271 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: request_timeout=5000 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=1, iteration=0) 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Wants a free connection to "ipa1" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_authldap: Search filter is "(&(ObjectClass=)(uid=istoyanov))" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: ldap_search_ext() -> msgid=4 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Waking authentication request "GET /images/springsource.png HTTP/1.1" 2016/01/28 16:37:09 [debug] 17658#0: 3 access phase: 9 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=1, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=2, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: User DN is "uid=istoyanov,cn=users,cn=accounts,dc=int,dc=domain,dc=removed" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Moving to group check 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=3, iteration=0) 2016/01/28 16:37:09 [debug] 17658#0: 3 Checking group 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Comparing user group with "cn=devs,cn=groups,cn=accounts,dc=int,dc=domain,dc=removed" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: ldap_compare_ext() -> msgid=5 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Waking authentication request "GET /images/springsource.png HTTP/1.1" 2016/01/28 16:37:09 [debug] 17658#0: 3 access phase: 9 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=3, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 Checking group 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=6, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 event timer del: 19: 1453991834271 2016/01/28 16:37:09 [debug] 17658#0: 3 http finalize request: 401, "/images/springsource.png?" a:1, c:1 2016/01/28 16:37:09 [debug] 17658#0: 3 http special response: 401, "/images/springsource.png?" 2016/01/28 16:37:09 [debug] 17658#0: 3 http set discard body 2016/01/28 16:37:09 [debug] 17658#0: 3 xslt filter header 2016/01/28 16:37:09 [debug] 17658#0: 3 HTTP/1.1 401 Unauthorized
I have also tried with group_attribute_is_dn on; to the same result. Right now I removed the "group_attribute", the "group_attribute_is_dn" and "require group" references from the config and basically modified the url like this:
ldap://ipa1.int.domain.removed:389/cn=users,cn=accounts,dc=int,dc=domain,dc=removed?uid?sub?(ObjectClass=*)(memberOf=cn=devs,cn=groups,cn=accounts,dc=int,dc=domain,dc=removed) and by using just "valid-user" this works. However this is not very flexible way of doing things, not to mention I think it will break certain things.
Am I doing something wrong, have in mind LDAP is not my strongest suit, I definitely prefer Krb5, but LDAP is more convenient for certain things.