LDAP Authentication and organization filter for groups.

[adriansluna]

Hi

I am in the process of migrating the authentication method to freeipa (DIR389) LDAP server for all of our applications (http://www.freeipa.org/page/Main_Page). Using OpenDJ before with mantis and was working like we needed.

It fails to login the moment i add the "$g_ldap_organization" to filter by the group l_mantis.

We need this to centrally manage the users that can login to mantis and all of our applications.

Thanks in advance for your help and if you need any more info i will provide it in the moment.

config_inc.php
$g_login_method = LDAP;
$g_use_ldap_email = ON;
$g_ldap_server = 'ldap://XXXXX.com.ar';
$g_ldap_root_dn = 'dc=XXXXX,dc=com,dc=ar';
$g_bind_dn = 'dc=XXXXX,dc=com,dc=ar';
$g_use_ldap_realname = ON;
$g_view_summary_threshold = DEVELOPER;

$g_ldap_protocol_version = 3;

### When adding this line mantis cant find the users.
$g_ldap_organization = '(memberOf=cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar)';


#### LDAP SEARCH FIND THE USERS NEEDED USING THE SAME FILTER
[root@ipa ~]# ldapsearch -Y GSSAPI -b dc=XXXXX,dc=com,dc=ar -h ipa "(&(memberOf=cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar)(uid=usuario))"

SASL/GSSAPI authentication started
SASL username: host/ipa.XXXXX.com.ar@XXXXX.COM.AR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=com,dc=ar> with scope subtree
# filter: (&(memberOf=cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar)(uid=usuario))
# requesting: ALL
#

# usuario, users, accounts, XXXXX.com.ar
dn: uid=usuario,cn=users,cn=accounts,dc=XXXXX,dc=com,dc=ar
memberOf: cn=l_accounts,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar
memberOf: cn=l_ssh,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar
memberOf: cn=l_root,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar
memberOf: cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar
memberOf: cn=l_nagios,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar
krbLastPwdChange: 20170615194311Z
krbPasswordExpiration: 20170615194311Z
displayName: usuario uno
uid: usuario
krbCanonicalName: usuario@XXXXX.COM.AR
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
initials: VP
gecos: usuario uno
sn: usuario
homeDirectory: /home/usuario
mail: usuario@XXXXX.com.ar
krbPrincipalName: usuario@XXXXX.COM.AR
givenName: usuario
cn: usuario uno
ipaUniqueID: ddfda460-5202-11e7-963f-080027f27745
uidNumber: 572400006
gidNumber: 572400006

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1




#### MANTIS LDAP LOGS FOR FAILED AUTENTICATION "WITH l_mantis GROUP"
2017-06-19 20:38 -03 ldap Binding to LDAP server
2017-06-19 20:38 -03 ldap Attempting connection to LDAP URI 'ldap://ipa.XXXXX.com.ar'.
2017-06-19 20:38 -03 ldap Connection accepted by LDAP server
2017-06-19 20:38 -03 ldap Setting LDAP protocol version to 3
2017-06-19 20:38 -03 ldap Attempting anonymous bind to ldap server
2017-06-19 20:38 -03 ldap Bind to ldap server successful
2017-06-19 20:38 -03 ldap Searching for (&(memberOf=cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar)(uid=usuario))
2017-06-19 20:38 -03 ldap No matching entries found
2017-06-19 20:38 -03 ldap Unbinding from LDAP server
2017-06-19 20:38 -03 ldap Authentication failed



#### FREEIPA (DIR389)LOGS FOR MANITS AUTENTICATION

### LOGIN FAILED WITH FILTER OF l_MANTIS
[19/Jun/2017:16:39:29.428644253 -0300] conn=17588 fd=68 slot=68 connection from 192.168.59.165 to 192.168.59.12
[19/Jun/2017:16:39:29.429057307 -0300] conn=17588 op=0 BIND dn="" method=128 version=2
[19/Jun/2017:16:39:29.429601466 -0300] conn=17588 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[19/Jun/2017:16:39:29.430102928 -0300] conn=17588 op=1 SRCH base="dc=XXXXX,dc=com,dc=ar" scope=2 filter="(&(memberOf=cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar)(uid=usuario))" attrs="uid distinguishedName"
[19/Jun/2017:16:39:29.430889329 -0300] conn=17588 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[19/Jun/2017:16:39:29.431183388 -0300] conn=17588 op=2 UNBIND
[19/Jun/2017:16:39:29.431204406 -0300] conn=17588 op=2 fd=68 closed - U1


### LOGIN SUCCESS WITHOUT FILTER OF l_MANTIS
[19/Jun/2017:17:10:04.732422746 -0300] conn=17719 fd=68 slot=68 connection from 192.168.59.165 to 192.168.59.12
[19/Jun/2017:17:10:04.732801220 -0300] conn=17719 op=0 BIND dn="" method=128 version=3
[19/Jun/2017:17:10:04.732905543 -0300] conn=17719 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[19/Jun/2017:17:10:04.733043697 -0300] conn=17719 op=1 SRCH base="dc=XXXXX,dc=com,dc=ar" scope=2 filter="(&(uid=usuario))" attrs="uid distinguishedName"
[19/Jun/2017:17:10:04.733593584 -0300] conn=17719 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[19/Jun/2017:17:10:04.733867339 -0300] conn=17719 op=2 BIND dn="uid=usuario,cn=users,cn=compat,dc=XXXXX,dc=com,dc=ar" method=128 version=3
[19/Jun/2017:17:10:04.734764901 -0300] conn=17719 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=usuario,cn=users,cn=accounts,dc=XXXXX,dc=com,dc=ar"
[19/Jun/2017:17:10:04.739012638 -0300] conn=17719 op=3 UNBIND
[19/Jun/2017:17:10:04.739025044 -0300] conn=17719 op=3 fd=68 closed - U1
[19/Jun/2017:17:10:04.737821229 -0300] conn=17720 fd=120 slot=120 connection from 192.168.59.165 to 192.168.59.12
[19/Jun/2017:17:10:04.738805714 -0300] conn=17720 op=0 BIND dn="" method=128 version=3
[19/Jun/2017:17:10:04.738973171 -0300] conn=17720 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[19/Jun/2017:17:10:04.739556359 -0300] conn=17720 op=1 SRCH base="dc=XXXXX,dc=com,dc=ar" scope=2 filter="(&(uid=usuario))" attrs="uid cn distinguishedName"
[19/Jun/2017:17:10:04.740190259 -0300] conn=17720 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[19/Jun/2017:17:10:04.740266011 -0300] conn=17720 op=2 UNBIND
[19/Jun/2017:17:10:04.740282312 -0300] conn=17720 op=2 fd=120 closed - U1

[adriansluna]

Just one update.

The first test where done with mantis 1.2.19

I did a new install with the last version (2.5.1) in Centos 7 and the same results (

config_inc.php used in 2.5.1
<?php
$g_hostname = 'localhost';
$g_db_type = 'mysql';
$g_database_name = 'bugtracker';
$g_db_username = 'root';
$g_db_password = 'XXXXXX';

$g_default_timezone = 'UTC';

$g_crypto_master_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXX=';



$g_login_method = LDAP;
$g_use_ldap_email = ON;
$g_ldap_server = 'ldap://ipa.XXXXX.com.ar';
$g_ldap_root_dn = 'dc=tecnoaccion,dc=com,dc=ar';
$g_ldap_organization = '(memberOf=cn=l_mantis,cn=groups,cn=accounts,dc=XXXXX,dc=com,dc=ar)';
$g_bind_dn= 'dc=XXXXX,dc=com,dc=ar';
$g_use_ldap_realname = ON;


#$g_display_error= DISPLAY_ERROR_NONE;
~

[adriansluna]

Just to update the Issue with the solution

freeipa / dir389 dont allow the search of memberof by anonymous binding. My previous directory does allow for default this anonymous search.

You can do:
* Bind with a user that has the rights to do so the required search. This one worked for me.
$g_ldap_bind_dn = 'uid=admin,cn=users,cn=accounts,dc=XXXXX,dc=com,dc=ar';
$g_ldap_bind_passwd = 'XXXXXXXX';

* Change permissions to freeipa to allow that search to be anonymous. Have to try it, but its the same issue.

EX
$ ipa permission-mod 'System: Read User Membership' --bindtype=anonymous
--------------------------------------------------
Modified permission "System: Read User Membership"
--------------------------------------------------
Permission name: System: Read User Membership
Granted rights: read, compare, search
Effective attributes: memberof
Default attributes: memberof
Bind rule type: anonymous
Subtree: cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
Type: user

Thanks anyway.