mavis_tacplus_ldap.pl
Birger
since OpenLDAP has the feature of overlays and the "memberOf" overlay
is activated in my OpenLDAP environment, i modified the plugin
"mavis_tacplus_ldap.pl".
-> it is now possible to get multiple group membership from OpenLDAP
via the memberOf attribute.
-> attribute "tacacsMember" and special tacacs schema is not required
See the diff (to Version 201112031122) for my changes applied. Can you
please have a look at it and maybe merge it to your codebase for
future versions?
Best regards,
#Birger
110a111,114
> OPENLDAP_USE_MEMBEROF
> Enable multiple group membership for OpenLDAP server (the memberof overlay must be activated)
> Default: unset
>
213a218
> my $openldap_use_memberof = undef;
255a261
> $openldap_use_memberof = $ENV{'OPENLDAP_USE_MEMBEROF'} if exists $ENV{'OPENLDAP_USE_MEMBEROF'};
507c513,518
< $mesg = $ldap->search(base => $authdn, scope=>'base', filter =>
'(objectclass=*)');
---
> if (defined ($openldap_use_memberof)){
> #print STDERR "_DEBUG_ fetching authdn with memberOf attribute: $authdn\n";
> $mesg = $ldap->search(base => $authdn, scope=>'base', filter => '(objectclass=*)', attrs=>['*','memberOf']);
> }else{
> $mesg = $ldap->search(base => $authdn, scope=>'base', filter => '(objectclass=*)');
> }
525,526c536,570
< $val = $entry->get_value('tacacsMember', asref => 1);
< $V[AV_A_TACMEMBER] = join(',', @$val) if $val;
---
> if (defined ($openldap_use_memberof)){
> #print STDERR "_DEBUG_ getting memberof attribute for openldap user\n";
> $val = $entry->get_value('memberOf', asref => 1);
> #print STDERR "_DEBUG_ openldap user has some memberOf attribute set: $val\n";
> if ($#{$val} > -1) {
> if (defined($unlimit_ad_group_membership)) {
> #print STDERR "_DEBUG_ unlimited group membership\n";
> my $m;
> foreach $m (sort grep { /^cn=$tacacsGroupPrefix[^,]*,/i } @$val) {
> $m =~ s/^cn=$tacacsGroupPrefix([^,]*),.*$/$1/i;
> #print STDERR "_DEBUG_ multiple member: $m\n";
> if ($m) {
> if (exists $V[AV_A_TACMEMBER]) {
> $V[AV_A_TACMEMBER] .= "," . $m;
> } else {
> $V[AV_A_TACMEMBER] = $m;
> }
> }
> }
> } else {
> my $m;
> $m = (sort grep { /^CN=$tacacsGroupPrefix[^,]*,/i } @$val)[0];
> if (defined $m) {
> $m =~ s/^CN=$tacacsGroupPrefix([^,]*),.*$/$1/i;
> $V[AV_A_TACMEMBER] = $m;
> }
> }
> }
> if (defined ($require_tacacsGroupPrefix) && !defined($V[AV_A_TACMEMBER])){
> goto fail;
> }
> }else{
> $val = $entry->get_value('tacacsMember', asref => 1);
> $V[AV_A_TACMEMBER] = join(',', @$val) if $val;
> }
Marc Huber
wouldn't
setenv LDAP_SERVER_TYPE = microsoft
setenv LDAP_FILTER = "(uid=%s)"
give about the same result? The password change code would very likely not work, but adding a flag to fix that would be easy enough.
Thanks,
Marc
Birger
thanks for your fast answer.
You're right, but:
- password change should be working (flag for this is ok)
- when fetching data vi ldap-search the explicit demand for attribute
"memberOf" is required when using OpenLDAP with overlay "memberof",
because the memberof attribute is an operational attribute and not
returned on standard search by default. See following line in my
"patch":
$mesg = $ldap->search(base => $authdn, scope=>'base', filter =>
'(objectclass=*)', attrs=>['*','memberOf']);
Best regards,
#Birger
Marc Huber
ok, got it, thanks.
However, I don't feel like duplicating the memberof code -- a couple of minor changes should be sufficient. The attached patch might be adequate but is yet untested.
Cheers,
Marc
Birger
thanks for the patch!
Authentication and Authorization (group mapping) seems to work, but
password change is not possible.
In the configfile i did set :
setenv LDAP_SERVER_TYPE = "microsoft"
and
setenv FLAG_USE_MEMBEROF = 1
Best regards,
#Birger
> mavis_tacplus_ldap.pl-patch
> 3KViewDownload
Birger
password change should work if you replace line 446 with:
if ( ($LDAP_SERVER_TYPE eq 'microsoft') && !(defined
$flag_use_memberof) ) {
Best regards,
Birger
On Dec 7, 9:13 pm, Marc Huber <marc.j.hu...@googlemail.com> wrote:
> mavis_tacplus_ldap.pl-patch
> 3KViewDownload
Marc Huber
On 8 Dez., 13:40, Birger <sysde...@googlemail.com> wrote:
> In the configfile i did set :
> setenv LDAP_SERVER_TYPE = "microsoft"
this explicitely enables the AD specific password change code. Setting
LDAP_SERVER_TYPE to a different value ("openldap", "generic",
whatever, just not "microsoft") will use the standard password change
routines. Setting FLAG_USE_MEMBEROF is all you need to enable the
"memberof" code path.
Cheers,
Marc
Birger
thanks for this clarification.
I thought (according to the documentation) that setting
LDAP_SERVER_TYPE to "generic" will cause authorization to be disabled
at all. I will test it and give feedback!
Best regards,
#Birger
Birger
i tested it with LDAP_SERVER_TYPE set to the not specified value
"openldap" and it works!
Here comes my config (anonymized) for OpenLDAP with active overlay
"memberOf" and successful tested Password change in LDAP.
#---
[...]
mavis module = external {
setenv LDAP_SERVER_TYPE = "openldap"
setenv LDAP_HOSTS = "10.10.10.1"
setenv LDAP_BASE = "dc=example,dc=com"
setenv LDAP_FILTER = "(uid=%s)"
setenv LDAP_FILTER_CHPW = "(uid=%s)"
setenv LDAP_USER = "cn=ldapadmin,dc=example,dc=com"
setenv LDAP_PASSWD = secret
setenv USE_TLS = 1
setenv AD_GROUP_PREFIX = tac
setenv REQUIRE_AD_GROUP_PREFIX = 1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv FLAG_CHPW = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
[...]
#---
Thanks for your support and best regards,
#Birger
On 8 Dez., 17:18, Marc Huber <marc.j.hu...@googlemail.com> wrote:
Marc Huber
thanks, the changes are now part of
http://www.pro-bono-publico.de/projects/src/DEVEL.201112141932.tar.bz2
Cheers,
Marc
Birger
thanks for merging changes into the package!
In syslog messages i get the following warnings. Maybe some code has
to be cleaned? I think these messages are not correct, because the
mentioned Environment variables are NOT ignored! I am using these
environment variables, even if I set LDAP_SERVER_TYPE to "openldap".
Warning: Environment variable UNLIMIT_AD_GROUP_MEMBERSHIP will be
ignored.
Warning: Environment variable AD_GROUP_PREFIX will be ignored.
Warning: Environment variable REQUIRE_AD_GROUP_PREFIX will be ignored
Best regards,
Birger
Marc Huber
these warnings did indeed escape my attention. Patch attached. Thanks!
Cheers,
Marc
On Friday, December 16, 2011 3:09:23 PM UTC+1, Birger wrote:
Hi Marc,thanks for merging changes into the package!
In syslog messages i get the following warnings. Maybe some code has
to be cleaned? I think these messages are not correct, because the
mentioned Environment variables are NOT ignored! I am using these
environment variables, even if I set LDAP_SERVER_TYPE to "openldap".Warning: Environment variable UNLIMIT_AD_GROUP_MEMBERSHIP will be
ignored.
Warning: Environment variable AD_GROUP_PREFIX will be ignored.
Warning: Environment variable REQUIRE_AD_GROUP_PREFIX will be ignoredBest regards,
Birger
Birger
i just re-installed everything "from source" (bz2-Package).
Thanks a lot, now everything is working as expected :-)
Best regards,
Birger
> mavis_tacplus_ldap.diff
> < 1KViewDownload