Closed etSpark closed 1 year ago
wiltonsr
commented
1 year ago Hello, @etSpark
The group filter used to find members in a group can be checked here:
It uses the three most common attribute names for groups in OpenLDAP and AD: member, uniqueMember and memberUid.
You can check and make some tests using examples page.
etSpark
commented
1 year ago Thanks @wiltonsr !
The group filter should fit for the ldap server I am faced with, then.
If I query this ldap via linux ldapsearch with the baseDN I provided in the allowedGroups and the userDN + filter for the attribute member - I get an entry back.
Looking at the logs I posted at the end of my initial comment:
The line Searching Group .. with User .. is understandable, comes from https://github.com/wiltonsr/ldapAuth/blob/7878b9501d4f8dd0a354b61b2eafad08e7f180b6/ldapauth.go#L273
and it got the right parameters.
But where do the next two log lines come from?
ERROR: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: %!s(<nil>)
DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:52: [<nil>]They don't seem to got catched by: https://github.com/wiltonsr/ldapAuth/blob/7878b9501d4f8dd0a354b61b2eafad08e7f180b6/ldapauth.go#L290
wiltonsr
commented
1 year ago But where do the next two log lines come from?
ERROR: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: %!s(<nil>) DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:52: [<nil>]They don't seem to got catched by:
https://github.com/wiltonsr/ldapAuth/blob/7878b9501d4f8dd0a354b61b2eafad08e7f180b6/ldapauth.go#L290
ERROR log comes from here:
and DEBUG from here:
They are printing the err that happened in search:
https://github.com/wiltonsr/ldapAuth/blob/7878b9501d4f8dd0a354b61b2eafad08e7f180b6/ldapauth.go#L287
wiltonsr
commented
1 year ago @etSpark I'm able to reproduce your issue.
That happens when the user doesn't belong to any group.
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:12 restricted.go:51: AllowedGroups => '[ou=mathematicians2,dc=example,dc=com ou=italians2,ou=scientists,dc=example,dc=com]'
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:12 restricted.go:51: Username => ''
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Session details: &{ map[] 0xc000f3e680 true {0xc0014f4c60 {0xc001161f40 0xc001e98448 406}} ldapAuth_session_token}
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:52: No session found! Trying to authenticate in LDAP
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Host: ldap.forumsys.com
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Connect Address: ldap.forumsys.com:389
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Running in Bind Mode
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Authenticating User: uid=tesla,dc=example,dc=com
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Searching Group: 'ou=mathematicians2,dc=example,dc=com' with User: 'uid=tesla,dc=example,dc=com'
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:19 restricted.go:51: Searching Group: 'ou=italians2,ou=scientists,dc=example,dc=com' with User: 'uid=tesla,dc=example,dc=com'
traefik | ERROR: ldapAuth: 2023/02/14 16:09:19 restricted.go:51: %!s(<nil>)
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:19 restricted.go:52: [<nil>]For some reason, this is not working:
I will try to fix ASAP.
wiltonsr
commented
1 year ago Hello, @etSpark
I released v0.0.21. Please test and let me know if the problem persists.
etSpark
commented
1 year ago Hi @wiltonsr,
tested and yes the logging works fine now!
Before I get the User not in any of the allowed group, I now get LDAP Result Code 32 "No Such Object"
So for some reason it does not find the dn of the group in my case.
I need to use a bindDN with bindPassword, maybe it doesn't utilize those when trying to get the group DN? Just guessing.. I need to dig deeper.
Thanks for improving the logging!
wiltonsr
commented
1 year ago @etSpark
Please check any typo in your group DN.
The error LDAP Result Code 32 "No Such Object" is much clear.
I need to use a bindDN with bindPassword, maybe it doesn't utilize those when trying to get the group DN? Just guessing.. I need to dig deeper.
You only need this if your LDAP doesn’t allow anonymous bind.
Hi,
I have a question regarding the User matching in given DN's of allowed Groups.
I have openLDAP roles, they look like this:
users look like this:
relevant plugin yaml config is like:
The user authentication works fine, but it doesn't seem to find the user as members:
A ldap search filter like "(member=uid=member1,ou=users,ou=test,ou=test_service,o=some_org,c=some_country)" with baseDN "uid=1234,ou=roles,ou=test,ou=test_service,o=some_org,c=some_country" should work.
Why it doesn't match? Does it query for another attribute than
membermaybe? Could I work around somehow with a searchfilter?Cheers! And thanks a lot for sharing this plugin!