http_auth_ldap: ldap_search_ext() returned NULL result

simonpinnow commented 4 years ago

Hi,

I'm trying to use a "require group" filter during authentication. But unfortuantly the search return a NULL value. For me the "Search group filter is" is not correct, because member is empty. I tryed it out with some pyhton code. If I fill "member=" with my user DN then it works correctly (in python)

I have no idea why my user DN isn't filled in correctly. I take a look on the source code but I have no idea.

What could be the problem?

Thanks for helping! best regards Simon

2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Username is "username" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=0, iteration=0) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: request_timeout=10000 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=1, iteration=0) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Wants a free connection to "gdis" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Search filter is "(&(objectClass=person)(sAMAccountname=username))" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: ldap_search_ext() -> msgid=2 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Waking authentication request "GET / HTTP/1.1" 2020/04/28 09:32:58 [debug] 114919#0: 42 access phase: 9 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=1, iteration=1) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=2, iteration=1) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: User DN is "CN=username,OU=Standard,OU=DE,OU=UserAccounts,DC=de,DC=top,DC=com" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Moving to group check 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=3, iteration=0) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Checking group 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Search user in group "CN=groupname,OU=PureGroups,OU=Resources,DC=de,DC=top,DC=com" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Search group filter is "(&(CN=groupname)(member=))" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: ldap_search_ext() -> msgid=3 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Waking authentication request "GET / HTTP/1.1" 2020/04/28 09:32:58 [debug] 114919#0: 42 access phase: 9 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=3, iteration=1) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Checking group 2020/04/28 09:32:58 [error] 114919#0: 42 http_auth_ldap: ldap_searchext() returned NULL result, client: 10.128.12.1, server: , request: "GET / HTTP/1.1", host: "" 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=4, iteration=0) 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: no requirement satisfied 2020/04/28 09:32:58 [debug] 114919#0: 42 http_auth_ldap: Authentication loop (phase=6, iteration=0)

Configuration looks like this:

   ldap_server gdis {
        url "ldap://de.top.com/DC=de,DC=top,DC=com?sAMAccountname?sub?(objectClass=person)";
        binddn "CN=bindname,OU=Services,OU=UsersAdm,DC=de,DC=top,DC=com";
        binddn_passwd Password

        group_attribute member;
        group_attribute_is_dn on;

        satisfy any;
        require group "CN=groupname,OU=PureGroups,OU=Resources,DC=de,DC=top,DC=com";
    }

simonpinnow commented 4 years ago

I've seen your changes, I was working on a fork to create a pullrequest. Thank you for fixing.

simonpinnow commented 4 years ago

https://github.com/kvspb/nginx-auth-ldap/pull/234

kvspb / nginx-auth-ldap

http_auth_ldap: ldap_search_ext() returned NULL result #235