Hi Carter,
thanks for testing again.
Alas, I still don't catch why only the first lookup results in
942013: 18:33:07.639 0/4f7c8606: 172.19.19.205 TACMEMBER (len: 17):
"alldevices-exec"
942013: 18:33:07.639 0/4f7c8606: 172.19.19.205 MEMBEROF (len: 451):
"cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net","cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net","cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net","cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net","cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net","cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net","cn=xxxx,ou=xyzgroups,dc=mydomain,dc=net"
and the second lookup doesn't. Could you please set the environment
variables in shell context and then run both
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" |
/path/to/
mavis_tacplus-ng_ldap.pl
and
printf "0 TACPLUS\n4 $USER\n49 INFO\n=\n" |
/path/to/
mavis_tacplus-ng_ldap.pl
Both should return the very same memberof attributes.
Thanks,
Marc
On 06.05.2024 21:00, Carter wrote:
> Marc,
> My mistake, I set the debug level for tac_plus-ng instead of spawnd.
> The debug value you suggested didn't show AV pairs, so I set it to
> "debug = ALL -PARSE -HEX".
> New logs are attached.
>
> In the successful authentication attempt, the queried user's groups
> are listed under the MEMBEROF and TACMEMBER AV pairs. In the packet
> capture these are not actually returned in the queried user's
> attributes (neither for the successful attempt nor the failed ones),
> so my understanding is that these are parsed from the subsequent LDAP
> group query based on the "groups filter" and "memberof filter"
> configuration options and inserted into the list of AV pairs by the
> LDAP backend script during processing.
>
> After the mavis cache expires, the AV pairs in the debug output don't
> show the MEMBEROF or TACMEMBER AV pairs. In the packet capture, both
> on the successful attempt and the failed attempt, the backend script
> makes an LDAP request using the LDAP_FILTER_GROUP format:
> "(&(objectClass=xyzgroup)(member=uid=cmerrill,ou=employees,dc=mydomain,dc=net))"
> and receives a list of group DNs in response. My best guess is that
> the group membership data is getting inserted into the user's AV pairs
> by the backend script on the first authentication, but not on
> subsequent authentication attempts after the mavis cache expires.
>
> Thanks,
> Carter
>
> On Monday, May 6, 2024 at 12:13:48 PM UTC-4 Marc Huber wrote:
>
> Hi Carter,
>
> what debug level was set for your test? This
>
> > 940339: 14:20:24.288 0/6b9e0eb8: 172.19.19.205 looking for user
> carter
> > in MAVIS backend
> > 940339: 14:20:24.381 0/6b9e0eb8: 172.19.19.205 result for user
> carter
> > is ACK
> > 940339: 14:20:24.381 0/6b9e0eb8: 172.19.19.205 evaluating ACL
> mainrule
>
> doesn't show the "user found by MAVIS backend, av pairs:" that I'd
> expect so see. 4195106 isn't a random number, but equals to 4194304
> (DEBUG_TACTRACE_FLAG) + 802 (a summary of other flags). Please retry
> your tests with a debug value of "-1".
>
> Cheers,
>
> Marc
>
>
> On 06.05.2024 16:50, Carter wrote:
> > Marc,
> > Attached are the debug logs with debug level set to 4195106. One
> thing
> > of note, I needed to modify the
mavis_tacplus-ng_ldap.pl
> <
http://mavis_tacplus-ng_ldap.pl> to comment
> > this part out:
> >
> > #my $vendor =
> $ldap->root_dse->get_value('vendorname');
> > #if (defined($vendor) && $vendor =~ /389
> Project/ &&
> > $#LDAP_BIND < 0) {
> > # printf STDERR "The 389 directory server
> will
> > not return the memberOf attribute for anonymous binds. " .
> > # "Please set the LDAP_USER and
> > LDAP_PASSWD environment variables.\n";
> > #}
> >
> >
> > Before commenting this out, I was getting this error: "Can't call
> > method "get_value" on an undefined value at
> > /usr/local/lib/mavis/
mavis_tacplus-ng_ldap.pl
> <
http://mavis_tacplus-ng_ldap.pl> line 319, <> chunk 1."
> >
> > Thanks,
> > Carter
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/event-driven-servers/169039db-c8e3-4a1a-a520-2c7185d0ebben%40googlegroups.com
> <
https://groups.google.com/d/msgid/event-driven-servers/169039db-c8e3-4a1a-a520-2c7185d0ebben%40googlegroups.com?utm_medium=email&utm_source=footer>.