allowedGroups query
etSpark opened this issue · 7 comments
Hi,
I have a question regarding the User matching in given DN's of allowed Groups.
I have openLDAP roles, they look like this:
dn: uid=1234,ou=roles,ou=test,ou=test_service,o=some_org,c=some_country
description: some description
o: my_test
displayName: test_role
uid: 1234
cn: test_role
ou: test_role
objectClass: organizationalUnit
objectClass: OpenLDAPou
objectClass: uidObject
objectClass: spCategory
mail: some_mail@address
member: uid=member1,ou=users,ou=test,ou=test_service,o=some_org,c=some_country
member: uid=member2,ou=users,ou=test,ou=test_service,o=some_org,c=some_country
users look like this:
dn: uid=member1,ou=users,ou=test,ou=test_service,o=some_org,c=some_country
displayName::1274z90==
cn:: 12oi8u51395i==
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: spPerson
sn: Name
employeeNumber: 1852375
givenName:: 1274z90==
ou: abbreviation
mail: some_address@some.org
uid: member1
relevant plugin yaml config is like:
attribute: uid
baseDn: ou=users,ou=test,ou=test_service,o=some_org,c=some_country
allowedGroups:
- "uid=1234,ou=roles,ou=test,ou=test_service,o=some_org,c=some_country"
The user authentication works fine, but it doesn't seem to find the user as members:
DEBUG: ldapAuth: 2023/02/14 09:14:44 restricted.go:52: No session found! Trying to authenticate in LDAP
DEBUG: ldapAuth: 2023/02/14 09:14:44 restricted.go:51: Host: *****
DEBUG: ldapAuth: 2023/02/14 09:14:44 restricted.go:51: Connect Address: ****
DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: Running in Bind Mode
DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: Authenticating User: uid=member1,ou=users,ou=test,ou=test_service,o=some_org,c=some_country
DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: Searching Group: 'uid=1234,ou=roles,ou=test,ou=test_service,o=some_org,c=some_country' with User: 'uid=member1,ou=users,ou=test,ou=test_service,o=some_org,c=some_country'
ERROR: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: %!s(<nil>)
DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:52: [<nil>]
A ldap search filter like "(member=uid=member1,ou=users,ou=test,ou=test_service,o=some_org,c=some_country)" with baseDN "uid=1234,ou=roles,ou=test,ou=test_service,o=some_org,c=some_country" should work.
Why it doesn't match? Does it query for another attribute than member maybe? Could I work around somehow with a searchfilter?
Cheers!
And thanks a lot for sharing this plugin!
Thanks @wiltonsr !
The group filter should fit for the ldap server I am faced with, then.
If I query this ldap via linux ldapsearch with the baseDN I provided in the allowedGroups and the userDN + filter for the attribute member - I get an entry back.
Looking at the logs I posted at the end of my initial comment:
The line Searching Group .. with User .. is understandable, comes from
Line 273 in 7878b95
and it got the right parameters.
But where do the next two log lines come from?
ERROR: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: %!s(<nil>)
DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:52: [<nil>]
They don't seem to got catched by:
Line 290 in 7878b95
But where do the next two log lines come from?
ERROR: ldapAuth: 2023/02/14 09:14:49 restricted.go:51: %!s(<nil>) DEBUG: ldapAuth: 2023/02/14 09:14:49 restricted.go:52: [<nil>]They don't seem to got catched by:
Line 290 in 7878b95
ERROR log comes from here:
Lines 188 to 195 in 7878b95
and DEBUG from here:
Lines 305 to 306 in 7878b95
They are printing the err that happened in search:
Line 287 in 7878b95
@etSpark I'm able to reproduce your issue.
That happens when the user doesn't belong to any group.
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:12 restricted.go:51: AllowedGroups => '[ou=mathematicians2,dc=example,dc=com ou=italians2,ou=scientists,dc=example,dc=com]'
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:12 restricted.go:51: Username => ''
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Session details: &{ map[] 0xc000f3e680 true {0xc0014f4c60 {0xc001161f40 0xc001e98448 406}} ldapAuth_session_token}
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:52: No session found! Trying to authenticate in LDAP
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Host: ldap.forumsys.com
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Connect Address: ldap.forumsys.com:389
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Running in Bind Mode
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Authenticating User: uid=tesla,dc=example,dc=com
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:18 restricted.go:51: Searching Group: 'ou=mathematicians2,dc=example,dc=com' with User: 'uid=tesla,dc=example,dc=com'
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:19 restricted.go:51: Searching Group: 'ou=italians2,ou=scientists,dc=example,dc=com' with User: 'uid=tesla,dc=example,dc=com'
traefik | ERROR: ldapAuth: 2023/02/14 16:09:19 restricted.go:51: %!s(<nil>)
traefik | DEBUG: ldapAuth: 2023/02/14 16:09:19 restricted.go:52: [<nil>]
For some reason, this is not working:
Lines 289 to 291 in 7878b95
I will try to fix ASAP.
Hello, @etSpark
I released v0.0.21. Please test and let me know if the problem persists.
Hi @wiltonsr,
tested and yes the logging works fine now!
Before I get the User not in any of the allowed group, I now get LDAP Result Code 32 "No Such Object"
So for some reason it does not find the dn of the group in my case.
I need to use a bindDN with bindPassword, maybe it doesn't utilize those when trying to get the group DN? Just guessing.. I need to dig deeper.
Thanks for improving the logging!
Please check any typo in your group DN.
The error LDAP Result Code 32 "No Such Object" is much clear.
I need to use a bindDN with bindPassword, maybe it doesn't utilize those when trying to get the group DN? Just guessing.. I need to dig deeper.
You only need this if your LDAP doesn’t allow anonymous bind.