search

threerings / openvpn-auth-ldap

Implements username/password authentication via LDAP for OpenVPN 2.x.
Other
135 stars 63 forks source link

RequireGroup does not work as expected #15

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What is the expected output? What do you see instead?

The expected output is to work. but it does not. 

What version of the product are you using? On what operating system?
auth-ldap-2.0.3. operation System = Debian 5.0.

Please provide any additional information below :

Here is how the group looks like in ldap :

dn: ou=Group,dc=users,dc=test,dc=loc
ou: Group                             
objectClass: top                      
objectClass: organizationalUnit 

dn: cn=admins,ou=Group,dc=users,dc=test,dc=loc
objectClass: posixGroup                         
objectClass: top                                
cn: admins                                      
gidNumber: 1000                                 
memberUid: username

dn: cn=vpn,ou=Group,dc=users,dc=test,dc=loc
objectClass: posixGroup                      
objectClass: top                             
cn: vpn                                      
gidNumber: 5000    

# Here is the output of the ldap search :

users:/# ldapsearch -D "cn=admin,dc=users,dc=test,dc=loc" -W -x -b
"ou=Group,dc=users,dc=test,dc=loc" "(|(cn=admins)(cn=vpn))" "memberUid"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=users,dc=test,dc=loc> with scope subtree
# filter: (|(cn=admins)(cn=vpn))
# requesting: memberUid
#

dn: cn=admins,ou=Group,dc=users,dc=test,dc=loc
memberUid: username

dn: cn=vpn,ou=Group,dc=users,dc=test,dc=loc

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

# Here is the result of testplugin :

vpn:/usr/local/src/auth-ldap-2.0.3/src#
/usr/local/src/auth-ldap-2.0.3/src/testplugin /etc/openvpn/ldap.conf
Username: username
Password:
Authorization Failed!
No matching LDAP group found for user DN
"uid=username,ou=People,dc=users,dc=test,dc=loc", and group membership is
required.
client-connect failed!
No matching LDAP group found for user DN
"uid=username,ou=People,dc=users,dc=test,dc=loc", and group membership is
required.
client-disconnect failed!

#####
However, when I set RequireGroup to false in the configuration file, it
DOES WORK. that indicate the ldap and openvpn works just fine. However,
there is a problem with my configuration or a problem with the code itself.
I notice that the search result return 2 lines and that might be the
problem .. I do not know.
#####

Original issue reported on code.google.com by SecFilte...@gmail.com on 10 Mar 2009 at 3:44

GoogleCodeExporter commented 9 years ago 
Here is what I have in my configuration file :

<Authorization>
        # Base DN
        BaseDN          "ou=People,dc=users,dc=test,dc=loc"
        # User Search Filter
        SearchFilter    "uid=%u"
        # Require Group Membership
        RequireGroup    true
        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "ou=Group,dc=users,dc=test,dc=loc"
                SearchFilter    "(|(cn=admins)(cn=vpn))"
                MemberAttribute memberUid
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

Original comment by SecFilte...@gmail.com on 10 Mar 2009 at 3:47

GoogleCodeExporter commented 9 years ago 
Pretty sure this is a duplicate of Issue 7.
I am waiting on that ticket too.

Original comment by elij...@gmail.com on 27 Dec 2009 at 11:56

GoogleCodeExporter commented 9 years ago 
Thanks, this issue is duplicate of #7, caused by RFC2307bis group checking.

Original comment by landon.j.fuller@gmail.com on 29 Dec 2009 at 4:11