issues with freeldap locating groups
12 views
Skip to first unread message
Tammy Firefly
Sep 6, 2025, 12:45:40 AM (6 days ago) Sep 6
to Event-Driven Servers
Hi,
I am running tac plus ng against a freeipa server, long story short tac plus ng cant find the groups, here's a config file snippet:
mavis module = external {
# Set environment variables for LDAP connection
setenv LDAP_SERVER_TYPE = "openldap"
setenv LDAP_HOSTS = "ldap://10.10.1.70:389"
setenv LDAP_BASE = "cn=accounts,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_BINDDN = "uid=tacacs-server,cn=sysaccounts,cn=etc,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_BINDPW = "*removed*"
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
setenv LDAP_FILTER = "(uid=%s)"
setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_FILTER_GROUP = "(&(objectclass=posixgroup)(memberOf=%s))"
# Optional: setenv REQUIRE_TACACS_GROUP_PREFIX = 0
# Do NOT set USE_TLS unless you are sure; see notes below
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
# Set environment variables for LDAP connection
setenv LDAP_SERVER_TYPE = "openldap"
setenv LDAP_HOSTS = "ldap://10.10.1.70:389"
setenv LDAP_BASE = "cn=accounts,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_BINDDN = "uid=tacacs-server,cn=sysaccounts,cn=etc,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_BINDPW = "*removed*"
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
setenv LDAP_FILTER = "(uid=%s)"
setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_FILTER_GROUP = "(&(objectclass=posixgroup)(memberOf=%s))"
# Optional: setenv REQUIRE_TACACS_GROUP_PREFIX = 0
# Do NOT set USE_TLS unless you are sure; see notes below
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
here's a mavistest output:
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-14750-1757103971-0
USER *removed*
PASSWORD *removed*
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-14750-1757103971-0
USER *removed*
DN uid=*removed*,cn=users,cn=accounts,dc=mgmt,dc=example,dc=com
RESULT ACK
PASSWORD *removed*
UID 30200003
GID 30200003
HOME /home/*removed*
SERIAL *removed*
IDENTITY_SOURCE 0
TACTYPE AUTH
PASSWORD_ONESHOT 1
SHELL /bin/bash
TYPE TACPLUS
TIMESTAMP mavistest-14750-1757103971-0
USER *removed*
PASSWORD *removed*
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-14750-1757103971-0
USER *removed*
DN uid=*removed*,cn=users,cn=accounts,dc=mgmt,dc=example,dc=com
RESULT ACK
PASSWORD *removed*
UID 30200003
GID 30200003
HOME /home/*removed*
SERIAL *removed*
IDENTITY_SOURCE 0
TACTYPE AUTH
PASSWORD_ONESHOT 1
SHELL /bin/bash
I found a email in the legay group about this issue with an example but I cannot get it working.
Does anyone have a working example config?
Thanks
--Tammy
Marc Huber
Sep 6, 2025, 8:21:34 AM (6 days ago) Sep 6
to event-driv...@googlegroups.com
Hi,
LDAP_BINDDN and LDAP_BINDPW aren't recognized variables. Also, auto-detecting the server type should work with the 389 Project LDAP server, so setting
setenv LDAP_HOSTS = "ldap://10.10.1.70:389"
setenv LDAP_BASE = "cn=accounts,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_USER =
"uid=tacacs-server,cn=sysaccounts,cn=etc,dc=mgmt,dc=*removed*,dc=com"
setenv LDAP_PASSWD = "*removed*"
looks quite sufficient.
(Subject changed from "freeldap" to "freeipa" to avoid confusion)
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/93e5f8da-d7eb-425d-8ebe-42e4d6390b8en%40googlegroups.com.
Tammy Firefly
Sep 6, 2025, 3:29:24 PM (6 days ago) Sep 6
to Event-Driven Servers
yup that plus an error i made creating the bind user fixed it :)
Reply all
Reply to author
Forward
0 new messages