johnarnold
commented
7 years ago Hrm.. if i'm not 100% clear, it's parenthesis in the user's dn that breaks, e.g.
CN=John Arnold (johnar),CN=Users,DC=domain,DC=com
Open johnarnold opened 7 years ago
johnarnold
commented
7 years ago Hrm.. if i'm not 100% clear, it's parenthesis in the user's dn that breaks, e.g.
CN=John Arnold (johnar),CN=Users,DC=domain,DC=com
johnarnold
commented
6 years ago Hello, anybody? @kvspb @Flashed
john57165
commented
6 years ago I am getting the same error message. Installing the latest version didn't work with require group. I reverted to 5fd5a40851d8b7c1ba832b893d369a51825ff720 commit and everything started working again. Below is my error log from the "Bad search filter" but I also tested the search filter and it does work so something was changed and broke the lookup.
2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Username is "test" 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Authentication loop (phase=0, iteration=0) 2017/12/26 13:59:40 [debug] 28910#0: 17 event timer add: 21: 10000:1514314790670 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: request_timeout=10000 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Authentication loop (phase=1, iteration=0) 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Wants a free connection to "test" 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Search filter is "(&(objectClass=)(sAMAccountName=test))" 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: ldap_search_ext() -> msgid=4 2017/12/26 13:59:40 [debug] 28910#0: 17 http2 frame complete pos:0000000001D520C0 end:0000000001D520C0 2017/12/26 13:59:40 [debug] 28910#0: 17 event timer del: 21: 1514314957714 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Waking authentication request "GET /test HTTP/2.0" 2017/12/26 13:59:40 [debug] 28910#0: 17 access phase: 9 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Authentication loop (phase=1, iteration=1) 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Authentication loop (phase=2, iteration=1) 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: User DN is "CN=test,CN=Users,DC=domain,DC=com" 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Moving to group check 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Authentication loop (phase=3, iteration=0) 2017/12/26 13:59:40 [debug] 28910#0: 17 Checking group 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Search user in group "CN=Group,CN=Users,DC=domain,DC=com" 2017/12/26 13:59:40 [debug] 28910#0: 17 http_auth_ldap: Search group filter is "(&(CN=Group)(member=CN=test,CN=Users,DC=domain,DC=com))" 2017/12/26 13:59:40 [error] 28910#0: 17 http_auth_ldap: ldap_search_ext() failed (-7: Bad search filter), client: 10.0.20.25, server: test.com, request: "GET /test HTTP/2.0", host: "test.com" 2017/12/26 13:59:40 [debug] 28910#0: *17 http_auth_ldap: Authentication loop (phase=6, iteration=0)
JayB059
commented
6 years ago I have this issue too. There's an escaped comma in the CN (i.e. CN=Last\, First,OU=...) that causes the same error. I've tried modifying the code to remove the escape backslash ... this prevents the error from occurring, but then the group matching does not work. Has anyone found a working solution?
johnarnold
commented
6 years ago @JayB059 Since it seems like this project was not maintained, I switched to python implementation that was easier for me to maintain: https://github.com/johnarnold/nginx-ldap/tree/py3
... eventually switching that out for oauth2_proxy implementation which supports 2FA.
@kvspb
This PR breaks us: https://github.com/kvspb/nginx-auth-ldap/pull/170
We have a working config on the prev. commit from April. With this commit, we break with logs like:
Jul 21 22:08:35 6608246572f6 DEBUG nginx: 2017/07/21 22:08:35 [debug] 11#11: 270 http_auth_ldap: Search user in group "CN=GROUP1,OU=SecurityGroups,DC=domain,DC= com" Jul 21 22:08:35 6608246572f6 DEBUG nginx: 2017/07/21 22:08:35 [debug] 11#11: 270 http_auth_ldap: Search group filter is "(&(CN=GROUP1)(member=CN=John Arnold (johnar),CN=Users,DC=domain,DC=com))" Jul 21 22:08:35 6608246572f6 ERR nginx: 2017/07/21 22:08:35 [error] 11#11: *270 http_auth_ldap: ldap_search_ext() failed (-7: Bad search filter), client: 10.0.0.10, s erver: server.domain.com, request: "GET / HTTP/1.1", host: "server.domain.com"
We have found that the problem is in searching the group:
Search group filter is "(&(CN=GROUP1)(member=CN=John Arnold (johnar),CN=Users,DC=domain,DC=com))"
the DN breaks us.... AD doesn't like the parenthesis. If we search just for:
"(&(CN=GROUP1)(member=CN=johnar,CN=Users,DC=domain,DC=com))"
... it works fine. Also, if we backslash escape the parenthesis, it it doesn't error. We've verified using ldapsearch utility, both ways.
It looks like the code changed from using ldap_compare_ext -> ldap_search_ext and there's a change in behavior with how they compare.
It appears that what is needed is that parenthesis, and probably any special filter characters in the filter string need to be escaped.