"require group" doesn't work with FreeIPA's 389 LDAP

[ilf-S]

Hi,

It could very well be that I'm not doing something the right way, but it seems require group does not work with FreeIPA's 389 LDAP schema.

Here is my config:

ldap_server ipa1 { url "ldap://ipa1.int.domain.removed:389/cn=users,cn=accounts,dc=int,dc=domain,dc=removed?uid?sub?(ObjectClass=*)"; binddn "cn=Directory Manager"; binddn_passwd pass_removed; connect_timeout 5s; bind_timeout 5s; request_timeout 5s; group_attribute memberOf; group_attribute_is_dn off; satisfy all; require group "cn=devs,cn=groups,cn=accounts,dc=int,dc=domain,dc=removed"; require valid_user; }

Here is the log:

2016/01/28 16:37:09 [debug] 17658#0: _3 http_auth_ldap: Username is "istoyanov" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=0, iteration=0) 2016/01/28 16:37:09 [debug] 17658#0: 3 event timer add: 19: 5000:1453991834271 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: request_timeout=5000 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=1, iteration=0) 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Wants a free connection to "ipa1" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_authldap: Search filter is "(&(ObjectClass=)(uid=istoyanov))" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: ldap_search_ext() -> msgid=4 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Waking authentication request "GET /images/springsource.png HTTP/1.1" 2016/01/28 16:37:09 [debug] 17658#0: 3 access phase: 9 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=1, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=2, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: User DN is "uid=istoyanov,cn=users,cn=accounts,dc=int,dc=domain,dc=removed" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Moving to group check 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=3, iteration=0) 2016/01/28 16:37:09 [debug] 17658#0: 3 Checking group 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Comparing user group with "cn=devs,cn=groups,cn=accounts,dc=int,dc=domain,dc=removed" 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: ldap_compare_ext() -> msgid=5 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Waking authentication request "GET /images/springsource.png HTTP/1.1" 2016/01/28 16:37:09 [debug] 17658#0: 3 access phase: 9 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=3, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 Checking group 2016/01/28 16:37:09 [debug] 17658#0: 3 http_auth_ldap: Authentication loop (phase=6, iteration=1) 2016/01/28 16:37:09 [debug] 17658#0: 3 event timer del: 19: 1453991834271 2016/01/28 16:37:09 [debug] 17658#0: 3 http finalize request: 401, "/images/springsource.png?" a:1, c:1 2016/01/28 16:37:09 [debug] 17658#0: 3 http special response: 401, "/images/springsource.png?" 2016/01/28 16:37:09 [debug] 17658#0: 3 http set discard body 2016/01/28 16:37:09 [debug] 17658#0: 3 xslt filter header 2016/01/28 16:37:09 [debug] 17658#0: 3 HTTP/1.1 401 Unauthorized

I have also tried with _group_attribute_isdn on; to the same result. Right now I removed the "_groupattribute", the "_group_attribute_isdn" and "require group" references from the config and basically modified the url like this:

ldap://ipa1.int.domain.removed:389/cn=users,cn=accounts,dc=int,dc=domain,dc=removed?uid?sub?(ObjectClass=*)(memberOf=cn=devs,cn=groups,cn=accounts,dc=int,dc=domain,dc=removed) and by using just "valid-user" this works. However this is not very flexible way of doing things, not to mention I think it will break certain things.

Am I doing something wrong, have in mind LDAP is not my strongest suit, I definitely prefer KRB, but LDAP is more convenient for certain things.

[xbulat]

The same problem.

[ilf-S]

I actually modified my ldap url to: ldap://ipa1.int.domain.removed:389/dc=int,dc=domain,dc=removed?uid,memberOf?sub?(objectClass=person)

which still sees my proper uid and user dn, and essentially returns on the console dn: / uid / memberOf, but it still doesn't work both with group_attribute_is_dn on and off.

I now am starting to doubt it is the ldap url and I assume it is this plugin, however I am not exactly sure what it is.

[kabili207]

Try using group_attribute member; instead. It looks for the attribute on the group rather than the user.

[jmccoy555]

+1 for the first post

ldap_server activesync { url ldap://10.10.1.101:389/CN=Users,DC=domain,DC=lan?mail?sub?(objectClass=person)(memberOf=CN=activesync,CN=Groups,DC=domain,DC=lan); binddn "CN=administrator,CN=Users,DC=domain,DC=lan"; binddn_passwd xxxxxx; require valid_user; satisfy all; }