tac_plus-ng with Mavis LDAP backend: group validation without memberOf overlay
344 views
Skip to first unread message
Jan Kayser
Sep 20, 2023, 1:32:12 AM9/20/23
to Event-Driven Servers
The LDAP server I am using does not have the memberOf overlay enabled.
There are however AccountGroups attributes under every user with the group names the user belongs to. And there are also group objects with member attributes listing the DN of the users.
dn: uid=user1,ou=Users,dc=sample,dc=net
objectClass: inetOrgPerson
AccountActive: TRUE
AccountGroups: group1
AccountGroups: group2
dn: cn=group1,ou=Groups,dc=sample,dc=net
objectClass: groupOfURLs
member: uid=user1,ou=Users,dc=sample,dc=net
member: uid=user2,ou=Users,dc=sample,dc=net
How can I validate to which group a user belongs in the ruleset without using the memberOf overlay?
The following only works with groups configured in the config file:
ruleset {
rule assign-groups {
enabled = yes
script {
if (group == group1) {
profile = profile-group1
permit
}
}
}
There are LDAP_BASE_GROUP and LDAP_FILTER_GROUP envs which seem to be useful for this purpose but I couldn't find any
information how this could then used in ruleset validations.
Marc Huber
Sep 20, 2023, 12:12:09 PM9/20/23
to event-driv...@googlegroups.com
Hi Jan,
I'll push a commit that should suit your use case in a couple of
minutes. That change will implement support for two new environment
variables:
setenv $LDAP_TACMEMBER = "AccountGroups"
setenv $LDAP_TACMEMBER_MAP_OU = "true"
Changing LDAP_FILTER_GROUP should be sufficient to search for
groupOfURLs. In that case, the DNs of the groups found should be
accessible to scripts as memberof values:
if (memberof =~ /^cn=group1,ou=Groups,dc=sample,dc=net$/) ...
Your LDAP setup looks pretty unusual, least to say. I've no idea whether
these changes will work, and my usual recommendation is to either use
tactrace.pl for testing or to set the environment variables in the
current shell and then run
printf "0 TACPLUS\n4 user01\n8 password01\n49 AUTH\n=\n" |
./mavis_tacplus-ng_ldap.pl
to have a look at the backend AV pairs.
Cheers,
Marc
> --
> You received this message because you are subscribed to the Google
Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it,
send an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/event-driven-servers/bcdcdb66-ebc3-4a9a-a200-2648232a338cn%40googlegroups.com.
I'll push a commit that should suit your use case in a couple of
minutes. That change will implement support for two new environment
variables:
setenv $LDAP_TACMEMBER = "AccountGroups"
setenv $LDAP_TACMEMBER_MAP_OU = "true"
Changing LDAP_FILTER_GROUP should be sufficient to search for
groupOfURLs. In that case, the DNs of the groups found should be
accessible to scripts as memberof values:
if (memberof =~ /^cn=group1,ou=Groups,dc=sample,dc=net$/) ...
Your LDAP setup looks pretty unusual, least to say. I've no idea whether
these changes will work, and my usual recommendation is to either use
tactrace.pl for testing or to set the environment variables in the
current shell and then run
printf "0 TACPLUS\n4 user01\n8 password01\n49 AUTH\n=\n" |
./mavis_tacplus-ng_ldap.pl
to have a look at the backend AV pairs.
Cheers,
Marc
> You received this message because you are subscribed to the Google
Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it,
send an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/event-driven-servers/bcdcdb66-ebc3-4a9a-a200-2648232a338cn%40googlegroups.com.
Jan Kayser
Sep 25, 2023, 8:32:15 PM9/25/23
to Event-Driven Servers
Hi Marc,
You are right that the set up is a bit unconventional, I went with enabling the memberof overlay on a dedicated LDAP server for Tacacs.
But thank you for the quick reply and workaround, maybe it will help someone else :)
Regards,
Jan
Reply all
Reply to author
Forward
0 new messages