OpenVPN + FreeIPA: memberOf Additional Requirement not working - ldap

My user authenticates fine through OpenVPN AS, using LDAP authentication over FreeIPA.
Now I want to restrict OpenVPN to enforce that they belong to a certain group.
I've created a User Group in FreeIPA, and changed OpenVPN to have an "Additional LDAP Requirement" of "memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk"
But when I try to authenticate now, I get access denied, with this error in openvpn logs:
2019-11-26T09:38:12+0000 [stdout#info] VPN Auth Failed: u"LDAP exception on ldaps://endpoint.free.ipa.internal/ (facility='search (u'cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk', 2, u'(&(uid=myUser)(memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk))')'): **user not found that meets specified requirements**: memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk: auth/authldap:178,python2.7/threading:774,python2.7/threading:801,python2.7/threading:754,_threads/_threadworker:46,_threads/_team:190,python/threadpool:250,python/threadpool:266,python/context:122,python/context:85,auth/authldap:138,auth/authldap:178,util/error:67,util/error:48" [None]
If I try (what I think is) the equivalent LDAP Search from command line, it works fine:
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" -W -H ldap://localhost -b "cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" '(&(uid=myUser)(memberOf=cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk))'
That returns the user, and even lists their memberOf attributes:
...
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
memberOf: cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
...
So unsure what I've done wrong in OpenLDAP.
I read that memberOf only works retrospectively, so I removed and re-added myUser to myGroup. Still didn't work.

Ah found it.
OpenVPNAS was using anonymous binding to connect to FreeIPA in order to authenticate people. With anonymous binding, it isn't permitted to see group membership!
Fix was to change OpenVPNAS to bind as an admin user. Now it works fine.

Related

Google Secure LDAP credentials not working

I'm trying to get a simple ldapsearch query working against Google Secure LDAP without using client certificate. I'm using Ubuntu 22.04 ldap-utils.
Am I doing something obviously wrong with my query below? Assume username generated by Google is LDAPUser1 and password is RAND123 and my domain is example.com:
ldapsearch -D "LDAPUser1" -w RAND123 -b "ou=Users,dc=example,dc=com" -H ldaps://ldap.google.com:636
Whenever I run it, I get the following error:
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
I've copied the username and password verbatum from the Google Secure LDAP "Access Credentials" section. It's directly below the "Certificates" section.

Google Secure LDAP (from Cloud Identity) returning wrong user DN

We have a Google G suite with multiple domains and users with email addresses not always having the primary domain extension.
When ldap searching the Secure LDAP environment for a user with a non primary domain we get the wrong user DN back.
Example:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
returns dn: uid=user,ou=Users,dc=example,dc=com
where it should return dn: uid=user,dc=company,dc=nl
But with this wrong DN the next step in my radius authentication (because that's where we are using this for) fails:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=example,dc=com -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)' with a
ldap_bind: Invalid credentials (49)
additional info: Incorrect password
which makes sense because LDAP cannot find the user.
whereas as binding with the right DN succeeds:
LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=ldap-client.key ldapsearch -W -D uid=user,ou=Users,dc=company,dc=nl -H ldaps://ldap.google.com -b dc=example,dc=com '(mail=user#company.nl)'
If I query for the user with the corresponding base_dn from the user's email address the returned DN is ok, but I cannot dynamically adjust the based_dn depending on the users email address, I think, in freeradius
I’m not sure if this a problem of the google LDAP servers or a problem with the LDAP protocol or a problem with the way I/radius queries LDAP.
I'm thinking to implement scripting authentication in the authorize section and implement my own ldapsearch + bind , but I hope there's a better solution.
Thanks. Wessel
Try with ldaps://ldap.google.com:636.
We found unless the port is defined it does not work.
We also noticed that not all fields can be searched, i.e uidNumber.

How was authentication built on LDAP?

I many times integrate authentication in application based on LDAP.
I just put configs: URL (like ldap.company.com:389), search base (like dc=europe,dc=com) and query pattern (like (uid=$)) to libraries and frameworks.
But I always wonder what really do libraries and frameworks to actually authenticate user by supplied login/password.
Seems that LDAP has three type of authentication itself - anonymous, plain password and SASL. So sometimes in order to authenticate you need application login/password to get access to LDAP service.
I am not sure that this blog answer the question: http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :
Get a connection to the LDAP server.
Bind as the application user.
Search for the DN (distinguished name) of the user to be authenticated.
Bind as user to be authenticated using DN from step 3.
Is that right?
That may be summarized as (as experiment in command line):
$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
-s sub -b 'dc=europe,dc=com' "uid=XYZ"
Are there any other authentication schema like using specific DN attribute value as user secret? Or userPassword is that attribute itself?
Your four steps are basically correct. SASL is an External Authentication Mechanism where Authentication is "handed" off to the SASL Mechanism. RFC 4513 spells out Authentication and Security Mechanisms.
-jim

Setting up Shibboleth IdP with LDAP

I am attempting to use LDAP with Shibboleth. I am nearly there, but I cannot authenticate. I followed these instructions, and my login.config file contains the following:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldap://localhost:10389" base="ou=users,ou=system"
ssl="false" userField="uid";
};
I have tried several variations of the above.
I can use TestShib to reach my IdP's login page, but always receive "Login failed. Double-check your username and password" when I attempt to authenticate.
This might be easier to debug myself if I could manage to get any authentication log messages, but I can't seem to get those working either.
Note that the following ldapsearch command works perfectly fine:
ldapsearch -h "ldap.example.com:10389" -w testpass -x -D "uid=testuser,ou=users,ou=system" -b "dc=example,dc=com" '(objectclass=*)'
If you could tell me what my problem might be, or at least how to enable logging, that would be very helpful.
I have this working locally. I have taken my working config and replaced my LDAP host and base path with yours from the question above.
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:10389"
baseDn="ou=users,ou=system"
userFilter="uid={0}";
};

ldap_mod_add() Modify: Server is unwilling to perform in

Want to use ldap_mod_add command with SSL on Centos but get the following error message;
PHP Warning: ldap_mod_add (): Modify: Server is unwilling to perform in ...
However the SSL ldapsearch command is working well;
ldapsearch -x -H ldaps://winsvr.intra -b dc=windows, dc=intra -D "DOMAIN\user"-w "123456"
The required Windows.pem file is in /etc/ssl/certs/windows.pem directory and has the appropriate line in /etc/openldap/ldap.conf.
Indeed getting above error message.
What else should I configure to work properly?
Updated:
Everything's OK. Problem was that I didn't recognize existing AD user. That's why the ldap_mod_add returned with above error messages (it couldn't add same AD user through ldap_mod_add).
The LDAP client in your PHP example is apparently doing an update, whereas the ldapsearch tool is doing a search, not to point too fine a point on it. The configuration of the server, the nature of the target entries involved, and any access controls involved might affect the update but not the search.