AD LDAP

micromacromonkey · 12-07-2015, 11:34 AM

Hi all

I am trying to use SSSD on RHEL 6.4 to authenticate users from Active Directory. It works if I don't specific an access filter, but if I try to filter based on group membership (memberOf) it fails.

Quote:

(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [d-test2]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_account_expired_ad] (0x4000): User account control for user [d-test2] is [0].
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [d-test2] is [0].
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [d-test2]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_print_server] (0x2000): Searching 10.21.1.92
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=d-test2)(objectclass=user)(memberOf=CN=LOC-RHEL-Admins,OU=Security Groups,OU=Dev,DC=mycompany,DC=com))][CN=d-test2,OU=Users,OU=Dev,DC=mycompany,DC=com].
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_process_result] (0x2000): Trace: sh[0xda8600], connected[1], ops[0xdb52e0], ldap[0xda8670]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_done] (0x0100): User [d-test2] was not found with the specified filter. Denying access.
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup

Interestingly the query returns values (the users who are members) from ldp.exe (MSFT tool) on windows but returns zero from ldapsearch on the RHEL box.

So this fails:

ldapsearch -H ldap://server1.mycompany.com/ -Y GSSAPI -b "ou=users,ou=dev,dc=mycompany,dc=com" "(&(sAMAccountName=d-test2)(objectclass=user)(memberOf=CN=LOC-RHEL-Admins,OU=Security Groups,OU=Dev,DC=mycompany,DC=com))"

(NB GSSAPI and other params are all fine, if I take out the memberOf clause it returns results, so it's just the memberOf bit that is failing).

The very same query returns the members when run from ldp.exe on windows.

Anyone have any ideas?

szboardstretcher · 12-09-2015, 02:36 PM

Can you provide the output from removing the 'memberOf' part?

micromacromonkey · 12-11-2015, 03:38 AM

hi, thanks for the reply. I managed to track this down:

The ldapsearch/SSSD queries were running as the host principal, so the read privileges that principal had were due to membership of the special group Authenticated Users. Authenticated Users does not by default have a Read privilege on the memberOf attribute of a user object. When I ran as a different user that had this right (coincidentally on Windows) it read it OK. This is 'by design' in active directory, to prevent enumeration of group memberships unless the privilege is specifically granted. I have now created a group for all the RHEL principals which is assigned this privilege.