Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Search problem on AD #2

Open
GoogleCodeExporter opened this issue Jun 21, 2015 · 6 comments
Open

Search problem on AD #2

GoogleCodeExporter opened this issue Jun 21, 2015 · 6 comments

Comments

@GoogleCodeExporter
Copy link

What version of the product are you using? On what operating system?
OpenVPN on Ubuntu Hardy 32 bits with auth-ldap-2.0.3 installed from source.

Attached file is the tree of what I see from my LDAP browser on the AD
server for domain dc=XXX,dc=ZZZ. Basically I got 2 different branches with
their own set of users (ou=YYY,dc=XXX,dc=ZZZ and ou=AAA,dc=XXX,dc=ZZZ). I
want to give access to users of both trees.

When I point my configuration pointing to a specific branch
ou=YYY,dc=XXX,dc=ZZZ I can authenticate users within this branch:

# auth-ldap configuration
<LDAP>
 URL ldap://AD_IP
 BindDN "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ"
 Password pass
 FollowReferrals no
</LDAP>

<Authorization>
 BaseDN "OU=YYY,DC=XXX,DC=YYY"
 SearchFilter "sAMAccountName=%u"
 RequireGroup false
</Authorization>

Here is the tethereal output of the LDAP traffic when a user log in:
1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
2 LDAP bindResponse(1) success 
3 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree 
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
5 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
6 LDAP bindResponse(1) success 
7 LDAP bindRequest(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 8
simple 
9 LDAP bindResponse(2) success 
10 LDAP unbindRequest(3) 
11 LDAP unbindRequest(3) 
12 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
13 LDAP bindResponse(1) success 
14 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree 
15 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
16 LDAP unbindRequest(3) 

I wonder why it search a 2nd time after validated my OpenVPN client user...
but that's not my problem. This work.

My problem start when I change the basedn to point to the root of my AD
structure to be able to let users of 2 branches authenticate. In my
configuration I just change
 BaseDN "DC=XXX,DC=YYY"

and here is the tethereal output:

1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
2 LDAP bindResponse(1) success 
3 LDAP searchRequest(2) "DC=XXX,DC=ZZZ" wholeSubtree 
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
5 LDAP bindRequest(4) "<ROOT>" simple 
6 LDAP bindResponse(4) success 
7 LDAP bindRequest(6) "<ROOT>" simple 
8 LDAP bindResponse(6) success 
9 LDAP bindRequest(8) "<ROOT>" simple 
10 LDAP bindResponse(8) success 
11 LDAP searchRequest(7) "CN=Configuration,DC=XXX,DC=ZZZ" wholeSubtree 
12 LDAP searchRequest(5) "DC=DomainDnsZones,DC=XXX,DC=ZZZ" wholeSubtree 
13 LDAP searchRequest(3) "DC=ForestDnsZones,DC=XXX,DC=ZZZ" wholeSubtree 
14 LDAP searchResDone(3) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
15 LDAP unbindRequest(9) 
16 LDAP searchResDone(7) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
17 LDAP searchResDone(5) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
18 LDAP unbindRequest(10) 
19 LDAP unbindRequest(11) 
20 LDAP unbindRequest(12) 

At line 4, it definitely find my user. But on line 5 it also try to bind
<ROOT>, which is something I don't know...
And after that it try to search in sub branches Windows Active Directory
that require higher privilege. Once it knocked out somewhere it refused to
try to bind my user and validated my VPN user.

Should auth-ldap took the found object, ignore failed search and try to
authenticate to that user?

thank you

Original issue reported on code.google.com by bruno.cl...@gmail.com on 25 Jun 2008 at 4:35

Attachments:

@GoogleCodeExporter
Copy link
Author

I've looked at the code and it's in searchWithFilter() in LFLDAPConnection.m 
calling
openldap's function ldap_search_ext_s()

The weird thing is, if I use openldap's ldapsearch(1), it work:

$ ldapsearch -h $ad_ip -D 'CN=ldapbrowser,CN=Users,dc=XXX,dc=YYY' -W -x -b
'dc=XXX,dc=YYY' 'samaccountname=bruno.clermont'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=XXX,dc=YYY> with scope subtree
# filter: samaccountname=bruno.clermont
# requesting: ALL
#

# Bruno Clermont, Users, YYY, XXX, ZZZ
dn: CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ
[and the content of the entry]

Original comment by bruno.cl...@gmail.com on 25 Jun 2008 at 6:16

@GoogleCodeExporter
Copy link
Author

I found the problem:

ldapsearch(1) (code at
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/clients/tools/ldapsearch.c) 
is
using ldap_search_ext(3) which is asynchronous while this plugin use the 
synchronous
ldap_search_ext_s(3).

Because of denied access by the AD server, ldap_search_ext_s(3) catch a
LDAP_OPERATIONS_ERROR while ldap_search_ext_s(3) get result and ignored those
sub-tree operations error.

The only possible bug fix for this issue is to move to the asynchronous search.

For me, I'll just ignore LDAP_OPERATIONS_ERROR.

Original comment by bruno.cl...@gmail.com on 25 Jun 2008 at 7:30

@GoogleCodeExporter
Copy link
Author

Original comment by landon.j.fuller@gmail.com on 7 Jul 2008 at 12:50

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author

This calls for supporting search across multiple trees.

Original comment by landon.j.fuller@gmail.com on 26 Jul 2008 at 5:16

  • Added labels: Type-Enhancement
  • Removed labels: Priority-Medium, Type-Defect

@GoogleCodeExporter
Copy link
Author

Any patch for this? Without this feature its almost unusable for us.

Original comment by lacik...@gmail.com on 4 Nov 2010 at 6:39

@GoogleCodeExporter
Copy link
Author

You can use this SearchFilter for BaseDN "DC=XXX,DC=YYY":
SearchFilter "(&(objectCategory=person)(sAMAccountName=%u))"

or restrict to users from VPN group:
SearchFilter 
"(&(objectCategory=person)(sAMAccountName=%u)(memberOf=CN=VPN,OU=GGG,DC=XXX,DC=Y
YY))"

Original comment by yag...@gmail.com on 4 Aug 2011 at 10:29

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant