packetfence
packetfence copied to clipboard
inverse-inc
LDAP Conditions not working for LDAP authentication Source
Describe the bug I have two authentication sources. One is LDAP and the other is Active Directory. They are both configured the same:
- Same LDAP account
- Same AD/LDAP server over port 636 with SSL
I can successfully authenticate only using the LDAP auth source. The AD one does not seem to work for authentication for some reason. Whilst the AD auth source is able to setup LDAP conditions, the LDAP source does not. When searching for a LDAP attribute using LDAP auth source, nothing shows up.
Steps to reproduce the behavior:
-
Create a new authentication source using the type LDAP.
-
Setup LDAP and make sure to test the authentication.
-
Add a new authentication rule and try to provide a LDAP condition.
-
It does not provide a list of attributes:
-
However, in the Active Directory auth source, the LDAP condition attributes are shown like they should:
Expected behavior Being able to use LDAP conditions using the LDAP authentication source.
Tested on
- Two different PF ZEN installations (13.1.0)
- PF on Debian 11 installation (13.1.0)
- PF ZEN (13.2.0)
Hi, I ran into the same issue. Is this project still maintained since there is no response for over 3 weeks on this issue ?????????? @louismunro @candlerb @ashang
I am doubting anyone still works on this project. I have send them a mail in the past (over 3 months ago) asking for support but still have not heard back from them..
I don't know why you pinged me. I haven't looked at packetfence for many years and I don't know anyone who still uses it; wireless and 802.1x is the primary access method in most places these days.
Inverse Inc provide (or used to provide) paid support; if you have a budget for it, you could try that route.
I have asked for paid support but never received a response. @fdurand @extrafu @jrouzierinverse
I have faced the same problem in 13.1 and 13.2. on Zen, Debian and RHEL 8 the option are available for authentication rules for AD and even Google LDAP however it is missing in LDAP. I have had discussions via mail and no one to help atm.
I just read 14 is out so I am going to try setting that up within the week and see if it's fixed. I will report back here.
Let's hope this issue has been fixed in 14. I will try to test it out as soon as time is on our hands
Unfortunately, this is not fixed. I just installed and tried it. It authenticates fine but LDAP auth rules cannot be set using LDAP attributes.
I needed this for role/vlan assignment using the memberOf attribute. but now looks like I may have to set up different SSIDs for different departments. This introduces the problem of no connection to staff when they move to other parts of the building where their dept SSID ain't visible or is weak. The next option will be to have one VLAN and SSID and make it general staff, which also comes with other issues.
The problem seems to start in v13.0 after the conditions were separated to "Add PacketFence Conditions" and "Add LDAP Conditions". I went back to install and test v11.2 and v12.2. Both have this working fine with all the attributes showing as seen in the image below.
Can you verify with the inspect mode in chrome and in the network tab what is the error message returned by the search ?
Something like that:
Nope, I get a valid 200 and no errors from network requests or whatsoever. In the preview I only see my domain.
dc=domain,dc=com,dc=gh: {}
@fdurand do let me know if you need anything else to aid in troubleshooting it.
OK so if it's empty at least it's able to connect. Can you try first by disabling "Use pfconnector" and see if it helps. Also do you have any differences when you use memberOf is cn=admini.... instead of memberOf is member of cn=admini... ?
So I have tried both with "Use pfconnector" enabled and disabled. I have same results, nothing.
Again nothing shows up at all when I start typing. IT just says No results.
IS there any other config or service if PF that could be affecting this?
No attribute shows up at all as it does in a list for google ldap
https://github.com/user-attachments/assets/4af4f298-9dbc-415b-a95e-bf1a41f53c94
Ok so can you verify again with the inspect mode what are the error message returned by all the search requests ?
I figured the screenshot will not capture everything so I copied the request payload source.
{
"server": {
"administration_rules": [],
"append_to_searchattributes": "",
"authentication_rules": [
{
"actions": [
{
"type": "set_role",
"value": "default"
},
{
"type": "set_access_duration",
"value": "12h"
}
],
"conditions": [],
"description": "All users if not matched with another rule",
"id": "catchall",
"match": "all",
"status": "enabled"
},
{
"actions": [],
"conditions": [
{
"attribute": null,
"operator": null,
"value": null,
"type": "ldap"
}
],
"description": "a test ",
"id": "hey",
"match": "all",
"status": "enabled"
}
],
"basedn": "dc=domain,dc=com,dc=gh",
"binddn": "uid=uaccount,ou=people,dc=domain,dc=com,dc=gh",
"ca_file": "",
"ca_file_upload": null,
"cache_match": "0",
"class": "internal",
"client_cert_file": "",
"client_cert_file_upload": null,
"client_key_file": "",
"client_key_file_upload": null,
"connection_timeout": "2",
"dead_duration": "60",
"description": "Authentication sources using LDAP for domain.com.gh",
"email_attribute": "mail",
"encryption": "ssl",
"host": [
"mail.domain.com.gh"
],
"id": "DOMAIN_LDAP",
"ldapfilter_operator": null,
"monitor": "1",
"not_deletable": false,
"not_sortable": false,
"password": "somepassword",
"port": "636",
"read_timeout": "10",
"realms": [
"default",
"local",
"null"that
],
"scope": "sub",
"searchattributes": [],
"set_access_durations_action": [
""
],
"set_role_from_source_action": null,
"shuffle": "0",
"trigger_portal_mfa_action": null,
"trigger_radius_mfa_action": null,
"type": "LDAP",
"use_connector": "1",
"usernameattribute": "mail",
"verify": "none",
"write_timeout": "5",
"allowed_domains": [],
"banned_domains": []
},
"search_query": {
"filter": null,
"scope": "base",
"attributes": [
"subSchemaSubEntry"
],
"base_dn": "dc=domain,dc=com,dc=gh",
"size_limit": 1000
}
}
A Few observations I have made.
-
Network requests for search does not happen when typing the attribute name. You only see the search request when you change an option on the page.
-
The no matter what is typed, once you click outside the box, everything is erased or removed from the box.
-
Others like AD and Google LDAP sources show the available attributes to add authentication rules even when you have not configured a valid connection.
-
It seems that this problem only started when the "add conditions" were split for LDAP. The AD Source version shows up fine with the "memberOf:1.2.840.113556.1.4.1941" option right when you click the arrow or box. The Google Workspaces Source doesn't have two choices but has all the attributes for LDAP and PF. Meanwhile, the code suggests Google LDAP source extends the LDAP Source package. (Just from observations of the .pm files for the auth sources, I don't write in that language) I think the problem lies in the attributes list, the predefined attributes and operators do not show in the list for LDAP.
Is it possible to modify and test those files? I'm thinking mainly to try and revert to what existed in version 12.2 LDAP Auth Source. since it looks to me that some addition after then introduced this problem. However, I do not know what other aspects of the system the auth sources are dependent on and where some changes might have also been made to affect it. But if everything is in the Auth sources .pm files. I'd like to play with them and see if I can help with that testing.
So what is not working correctly is that request:
"search_query": {
"filter": null,
"scope": "base",
"attributes": [
"subSchemaSubEntry"
],
"base_dn": "dc=domain,dc=com,dc=gh",
"size_limit": 1000
}
It suppose to return the ldap attributes of the LDAP server. Do you know on your ldap server what is the request to retrieve all attributes ?
Hello Durand, Unfortunately I'm not doing not know. However if it helps. I am using an Open LDAP from a Zimbra installation. I use that for a number of services but I haven't had to manually query or do this. So I can't tell.