Tac_plus-ng Can not find group

[Sergio Gomez Ramirez]

Hi Marc,

I am trying use tac_plus-ng but i can not access because it doesn´t match users groups. This is my config :

        mavis module = groups {
            memberof filter = /^cn=red_/
            script out {
                    # copy the already filtered UNIX group access list to TACMEMBER
                    eval $MEMBEROF =~ /^cn=red_.*$/
                    set $TACMEMBER = $1
            }
        }

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "generic"
                setenv LDAP_HOSTS = "ldap://10.0.193.129:389"
                setenv LDAP_CONNECT_TIMEOUT = 3
                setenv LDAP_FILTER_CHPW = "(uid=%s)"
                setenv LDAP_BASE = "cn=accounts,dc=satm,dc=maqtor"
                setenv LDAP_FILTER = "(&(objectclass=posixaccount)(uid=%s))" #"(uid=%s)"
                setenv FLAG_CHPW = 1
                setenv FLAG_USE_ALIAS = 0
                setenv FLAG_USE_MEMBEROF = 1
                setenv LDAP_MEMBEROF_REGEX = "^cn=red_([^,]+),cn=groups.*"
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                setenv TACACS_GROUP_PREFIX = red_
                exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
        }

and this is the output of mavistest

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-740465-1692808161-0
USER                sgomezr
PASSWORD            s3rg1088
TACTYPE             AUTH

0/line 92: [<unknown>] $MEMBEROF <pcre-regex> '^cn=red_.*$' => false
0/line 93: [set] TACMEMBER = ""

Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-740465-1692808161-0
USER                sgomezr
DN                  uid=sgomezr,cn=users,cn=accounts,dc=satm,dc=maqtor
RESULT              ACK
PASSWORD            s3rg1088
UID                 546250500
GID                 546250500
HOME                /home/sgomezr
SERIAL              29FLT7lI+p3Aih655tQiMg=
IDENTITY_SOURCE     1
TACMEMBER
TACTYPE             AUTH
PASSWORD_ONESHOT    1
SHELL               /bin/sh

As you can see, in mavitest output doens´t show MEMBEROF.

I hope you can help me

Regars.

[Marc Huber]

Hi,

please try withouth the "groups" module (this isn't needed in your case, plus your memberof filter is case-sensitive).

If that doesn't work: Please post the ldapsearch output for your user.

Please don't post potentially valid username-password pairs.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/9fff3584-7dbc-4e0d-9f21-88b9eb1e3fdan%40googlegroups.com.

[Sergio Gomez Ramirez]

Hi Marc,

Thanks for your advice.

This is mavitest output, after removing the module "groups"  :

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-748543-1692864928-0
USER                userid
PASSWORD            pass
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-748543-1692864928-0
USER                userid
DN                  uid=userid,cn=users,cn=accounts,dc=example,dc=com
RESULT              ACK
PASSWORD            pass
UID                 546250500
GID                 546250500
HOME                /home/userid
SERIAL              wAhTDRqoz8sStxH2A2bL7Q=
IDENTITY_SOURCE     0

TACTYPE             AUTH
PASSWORD_ONESHOT    1
SHELL               /bin/sh

I still can not see the attribute-value-pairs MEMBEROF, so this is ldapsearch output:

[root@ipa1 ~]# ldapsearch -u uid=userid
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=userid
# requesting: ALL
#

# userid, users, compat, example.com
dn: uid=userid,cn=users,cn=compat,dc=example,dc=com
ufn: userid, users, compat, example.com
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: name lastname
cn: name lastname
uidNumber: 546250500
gidNumber: 546250500
loginShell: /bin/sh
homeDirectory: /home/userid
ipaAnchorUUID:: OklQQTpzYXRtLm1hcXRvcjowNjY2MDczNC1lZjQyLTExZWQtOGFkZS01NjZmN2
 NhNzAwY2M=
uid: userid

# userid, users, accounts, example.com
dn: uid=userid,cn=users,cn=accounts,dc=example,dc=com
ufn: userid, users, accounts, example.com
memberOf: cn=userid,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=red_test-l2,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=red_test-l3,cn=groups,cn=accounts,dc=example,dc=com
krbLoginFailedCount: 0
krbLastFailedAuth: 20230527171637Z
krbExtraData:: AAKR5WRkc2dvbWV6ckBTQVRNLk1BUVRPUgA=
krbPasswordExpiration: 20230815143249Z
krbLastPwdChange: 20230517143249Z
krbLastAdminUnlock: 20230220120540Z
sn: lastname
givenName: name
mail: use...@example.com
uid: userid
gecos: name lastname
gidNumber: 546250500
initials: sg
uidNumber: 546250500
homeDirectory: /home/userid
loginShell: /bin/sh
objectClass: krbprincipalaux
objectClass: posixaccount
objectClass: top
objectClass: ipasshgroupofpubkeys
objectClass: organizationalperson
objectClass: inetuser
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: inetorgperson
objectClass: ipasshuser
objectClass: person
krbCanonicalName: use...@example.com
cn: name lastname
displayName: name lastname
krbPrincipalName: use...@example.com
ipaUniqueID: 06660734-ef42-11ed-8ade-566f7ca700cc
krbPwdPolicyReference: cn=ipausers,cn=example.com,cn=kerberos,dc=example,dc=maqto
 r

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

Regards

[Marc Huber]

Hi Sergio,

could you please git pull and retry? 106edcf579fd6de4f46b31149c79ed412eca8ed7 fixes a possible issue in the backend script with memberOf being all-lowercase.

Thanks,

Marc

To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/655bb724-aebb-4839-8421-be7cfb29d5dcn%40googlegroups.com.

[Sergio Gomez Ramirez]

HI Marc,

Yesterday, I installed the new version, but i have the same issue. This is mavistest output:

mavistest /etc/tac_plus-ng/tac_plus-ng.cfg tac_plus-ng TACPLUS userid pass

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-763931-1692957626-0

USER                userid
PASSWORD            pass
TACTYPE             AUTH

Output attribute-value-pairs:
TYPE                TACPLUS

TIMESTAMP           mavistest-763931-1692957626-0

USER                userid
DN                  uid=userid,cn=users,cn=accounts,dc=example,dc=com
RESULT              ACK
PASSWORD            pass
UID                 546250500
GID                 546250500
HOME                /home/userid

SERIAL              Z0nJA6OMP7xintZBHFghYw=

IDENTITY_SOURCE     0
TACTYPE             AUTH
PASSWORD_ONESHOT    1
SHELL               /bin/sh

Thanks,

Sergio

[Sergio Gomez Ramirez]

Also, I have been trying with LDAP attributes and i had the same output.               

setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=example,dc=com"
setenv LDAP_FILTER_GROUP = "(&(objectclass=posixgroup)(member=%s))"

[Marc Huber]

Hi Sergio,

I still can't reproduce this. What LDAP server type is that, exactly? I
don't see this issue with OpenLDAP or AD.

Thanks,

Marc

[Sergio Gomez Ramirez]

HI,

I am working with FreeIPA, and with legacy tac_plus I am working fine, but i have others issues, that you resolved with tac_plus-ng. 

Thanks

[Sergio Gomez Ramirez]

This is mavistest output of legacy tac_plus

[root@tacacs2 ~]# mavistest /etc/tac_plus.d/tac_plus.conf tac_plus TACPLUS userid pass

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-1512848-1692974911-0

USER                userid
PASSWORD            pass
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS

MEMBEROF            "cn=red_test_l2,cn=groups,cn=accounts,dc=example,dc=com","cn=red_l2_admin,cn=groups,cn=accounts,dc=example,dc=com"
TIMESTAMP           mavistest-1512848-1692974911-0

USER                userid
DN                  uid=userid,cn=users,cn=accounts,dc=example,dc=com
RESULT              ACK
PASSWORD            pass

SERIAL              2U7i0/EVOUFXejs9MYzXgQ=
IDENTITY_SOURCE     0
TACMEMBER           "test_l2"
TACTYPE             AUTH

Thanks

[Marc Huber]

Hi Sergio,

mavistest just looks for the first "mavis" keyword and starts parsing there, no matter whether the configuration is for tac_plus or tac_plus-ng.

So this is really an issue with mavis_tacplus_ldap.pl vs. mavis_tacplus-ng_ldap.pl where the latter doesn't return group membership? Are both scripts from the current GIT or is mavis_tacplus_ldap.pl an earlier version?

Thanks,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/6fcca9fa-34c0-4ea8-b30a-493b0731eec2n%40googlegroups.com.

[Marc Huber]

Hi Sergio,

On 25.08.2023 16:44, Sergio Gomez Ramirez wrote:
> I am working with FreeIPA, and with legacy tac_plus I am working fine,
> but i have others issues, that you resolved with tac_plus-ng.

according to

https://access.redhat.com/solutions/467063

your FreeIPA/389 Directory Server will not return the memberOf attribute
for anonymous binds.

Cheers,

Marc

[Sergio Gomez Ramirez]

Hi Marc,

Now, i am working with a earlier version to  mavis_tacplus_ldap.pl in one tacacs server, and i am working the last version with  mavis_tacplus-ng_ldap.pl in another tacacs server, but also i am working with the same version in both tacplus. The LDAP server is the same for both.

I couldn´t understand the last answer, if my FreeIPA doesn't return the memberof attribute, because it does with legacy tacplus.

Thanks 

Sergio

[Sergio Gomez Ramirez]

Hi Marc,

i have forced that it use LDAP_USER with DN user and I can see memberOf, This it´s the config:

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"

                setenv LDAP_HOSTS = "ldap://10.0.193.129:389"
                setenv LDAP_CONNECT_TIMEOUT = 3

                setenv LDAP_USER = "uid=userbind,cn=users,cn=accounts,dc=example,dc=com"
                setenv LDAP_PASSWD = "passbind"
                setenv LDAP_FILTER_CHPW = "(uid=%s)"
                setenv LDAP_BASE = "cn=accounts,dc=example,dc=com"

                setenv LDAP_FILTER = "(&(objectclass=posixaccount)(uid=%s))" #"(uid=%s)"

                setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=example,dc=com"
                setenv LDAP_FILTER_GROUP = "(&(objectclass=posixgroup)(memberOf=%s))"

                setenv FLAG_CHPW = 1
                setenv FLAG_USE_ALIAS = 0
                setenv FLAG_USE_MEMBEROF = 1
                setenv LDAP_MEMBEROF_REGEX = "^cn=red_([^,]+),cn=groups.*"
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                setenv TACACS_GROUP_PREFIX = red_
                exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
        }

And this it´s output mavitest:

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-802911-1693230092-0
USER                userid
PASSWORD            passwd

TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS

MEMBEROF            "cn=red_test_l2,cn=groups,cn=accounts,dc=example,dc=com","cn=red_l2_admin,cn=groups,cn=accounts,dc=example,dc=com"
TIMESTAMP           mavistest-802911-1693230092-0

USER                userid
DN                  uid=userid,cn=users,cn=accounts,dc=example,dc=com
RESULT              ACK

PASSWORD            passwd

UID                 546250500
GID                 546250500
HOME                /home/userid

SERIAL              E+yBGLiEZK4nndsoMM3pUQ=
IDENTITY_SOURCE     0
TACMEMBER           "test_l2","l2_admin"

TACTYPE             AUTH
PASSWORD_ONESHOT    1
SHELL               /bin/sh

Now, i have another issue jajaja apply ACL denied by default.

thank you very much for your help.

Regards

[Marc Huber]

Hi Sergio,

389 DS has ever been on the supported list, only OpenLDAP and AD are. mavis_tacplus_ldap.pl binds to LDAP after searching for the user DN and then retrieves the user attributes, so memberOf in included at authentication time. However, it's not granted that an LDAP authorization request without prior authentication (and that can happen easily without TACACS+ single-connection) would be able to retrieve that attribute.

mavis_tacplus-ng_ldap.pl retrieves the attributes before binding as the user, but will bind anonymously or, if provided, as LDAP_USER. A non-anonymous bind guarantees that memberOf is available. Plus, this method saves one LDAP request.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/0de5d712-1ae7-49aa-9cd1-e75fff596752n%40googlegroups.com.