Generate role with sAMAccountName from each user of a group: Bad search filter

[datinho]

Ref. #128

ldap2pg -V
ldap2pg 4.11
psycopg2 2.7.5 (dt dec pq3 ext lo64)
python-ldap 3.1.0
Python 2.7.5 (default, Jul 13 2018, 13:06:57)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

OS: Centos 7

I've configured the yml file: ldap2pg.yml

ldap:
  uri: ldap://pdc.office.company.com:389
  binddn: CN=inetwork,OU=Network/Nweb Service Account,DC=office,DC=company,DC=com
  user: inetwork
  password: "*****"
 - ldap:
    base: DC=office,DC=company,DC=com
    scope: sub
    filter: >
      (&
        (objectClass=User)
        (memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com)
      )
  role:
    name_attribute: sAMAccountName
    options: LOGIN SUPERUSER

running the command: ldap2pg -c ./ldap2pg.yml -n -vvv

[ldap2pg.manager INFO] Querying LDAP DC=office,DC=company,DC=c... (&
[ldap2pg.manager INFO] (object...
[ldap2pg.ldap DEBUG] Doing: ldapsearch -Y DIGEST-MD5 -U inetwork -W -b DC=office,DC=company,DC=com -s sub '(&
[ldap2pg.ldap DEBUG] (objectClass=User)
[ldap2pg.ldap DEBUG] (memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com)
[ldap2pg.ldap DEBUG] )
[ldap2pg.ldap DEBUG] ' sAMAccountName
[ldap2pg.script CRITI] Failed to query LDAP: {u'info': 'Resource temporarily unavailable', 'errno': 11, 'desc': u'Bad search filter'}.

I receive the error, but if I run the command line: ldapsearch -h pdc.office.company.com -D "CN=inetwork,OU=Network/Nweb Service Account,DC=office,DC=company,DC=com" -W -Y DIGEST-MD5 -U inetwork -W -b DC=office,DC=company,DC=com -s sub '(&(objectClass=User)(memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com))' sAMAccountName

Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
SASL username: inetwork
SASL SSF: 128
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <DC=office,DC=company,DC=com> with scope subtree
# filter: (&(objectClass=User)(memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com))
# requesting: sAMAccountName
#
# John Doe, It Group, Network, office.company.com
dn: CN=John Doe,OU=It Group,OU=Network,DC=office,DC=company,DC=com
sAMAccountName: doe

It returns the sAMAccountName of related group and I cannot use the CN because is space separated.
Thanks in advance.

[bersace]

Hi @datinho !

I can reproduce the error with : > YAML syntax :

# FAILS
filter: >
  (&
    (cn=*)
    (objectClass=*)
  )
# WORKS
filter: "(& (cn=*( (objectClass=*))"

Can you confirm this ?

That's a bug since ldapsearch accepts such filter.

[bersace]

Ok, the bug is that : > adds a final \n to the filter, and this violates LDAP protocol. #229 fixes this. You should workaround this by using : "(&…)".

[datinho]

Hi @bersace,
thanks for your fast reply, here's the result:

[ldap2pg.ldap DEBUG] Doing: ldapsearch -Y DIGEST-MD5 -U inetwork -W -b DC=office,DC=company,DC=com -s sub '(& (objectClass=User) (memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com))' sAMAccountName
[ldap2pg.script CRITI] Failed to query LDAP: {'info': u'000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580', 'desc': u'Operations error'}.

but the binding was succesful

[ldap2pg.ldap DEBUG] Trying SASL DIGEST-MD5 auth.
[ldap2pg.ldap DEBUG] Doing: ldapwhoami -Y DIGEST-MD5 -U inetwork -W

[bersace]

@datinho hmm, that's another issue. Does the ldapwhoami command works ? I'm wondering if I should set both -D and -U. What is your LDAP server ?

[datinho]

I'm using an Active Directory

[bersace]

🆙 can you test ldapwhoami command ?

[datinho]

I've configured the yml e ldaprc:

[ldap2pg.config        INFO] Using /opt/ldap2pg/ldap2pg.yml.
[ldap2pg.config       DEBUG] Read dry from argv.
[ldap2pg.config       DEBUG] Read verbosity from argv.
[ldap2pg.config       DEBUG] Read ldap:uri from YAML.
[ldap2pg.config       DEBUG] Read ldap:binddn from YAML.
[ldap2pg.config       DEBUG] Read ldap:user from YAML.
[ldap2pg.config       DEBUG] Read ldap:password from YAML.
[ldap2pg.config       DEBUG] Read postgres:dsn from YAML.
[ldap2pg.config       DEBUG] Read privileges from YAML.
[ldap2pg.config       DEBUG] Read sync_map from YAML.
[ldap2pg.config       DEBUG] Drop unused hidden privilege __temporary__
[ldap2pg.config       DEBUG] Configuration loaded.
[ldap2pg.script       DEBUG] Connecting to LDAP directory.
[ldap2pg.ldap         DEBUG] Ignoring: [Errno 2] No such file or directory: u'/etc/ldap/ldap.conf'
[ldap2pg.ldap         DEBUG] Ignoring: [Errno 2] No such file or directory: u'/root/ldaprc'
[ldap2pg.ldap         DEBUG] Ignoring: [Errno 2] No such file or directory: u'/root/.ldaprc'
[ldap2pg.ldap         DEBUG] Found rcfile /opt/ldap2pg/ldaprc.
[ldap2pg.ldap         DEBUG] Read URI from /opt/ldap2pg/ldaprc.
[ldap2pg.ldap         DEBUG] Read HOST from /opt/ldap2pg/ldaprc.
[ldap2pg.ldap         DEBUG] Read BINDDN from /opt/ldap2pg/ldaprc.
[ldap2pg.ldap         DEBUG] Read PASSWORD from /opt/ldap2pg/ldaprc.
[ldap2pg.ldap         DEBUG] Connecting to LDAP server ldap://pdc.office.company.com:389.
[ldap2pg.ldap         DEBUG] Trying SASL DIGEST-MD5 auth.
[ldap2pg.ldap         DEBUG] Doing: ldapwhoami -Y DIGEST-MD5 -U inetwork -W

Without filter, for example:

- ldap:
    base: CN=SQL-RO,OU=SQL Groups,DC=office,DC=company,DC=com
    attribute: member
  role:
    name_attribute: member.cn
    options: LOGIN
    parent:
    - ldap_roles
    - readers

the users are read correctly.

[bersace]

Again, can you test ldapwhoami -Y DIGEST-MD5 -U inetwork -W and report the output, per cortesia ?

[datinho]

ldapwhoami -Y DIGEST-MD5 -U inetwork -W
Enter LDAP Password: 
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

it missing flag -h, with it:

Enter LDAP Password: 
SASL/DIGEST-MD5 authentication started
SASL username: inetwork
SASL SSF: 128
SASL data security layer installed.
u:OFFICE\inetwork

[bersace]

@datinho yes, ldap2pg suppose ldapwhoami will read ldaprc.

[bersace]

@datinho I find it odd to have u:OFFICE\inetwork instead of dn:…. @cbandy do you have some experience using SASL with Active Directory ?

[bersace]

@datinho can you have simple authentication ?

$ ldapwhoami -h … -x -D OFFICE\\inetwork -W

[datinho]

I guess yes

ldapwhoami -h pdc.office.company.com -x -D OFFICE\inetwork -W
Enter LDAP Password:
u:OFFICE\inetwork

it also works if I use -D inetwork

[bersace]

@datinho Can you do an anonymous ldapsearch with and without filter ?

$ ldapsearch -h … -s sub -b DC=office,DC=company,DC=com '(& (objectClass=User) (memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com))' sAMAccountName
$ ldapsearch -h … -s sub -b DC=office,DC=company,DC=com '' sAMAccountName

Adpat to your need.

[datinho]

Hi, the anonymous search works.
I check that if I set the -h flag the search works, if I use ldapd.conf/ldaprc the same search don't.
So I must fix my configuration of openldap before.
Thanks for your support and courtesy

[bersace]

@datinho ok, nice. Let me know it some doc or better error message can help.

[datinho]

Hi @bersace,
I've fix the ldaprc and now the command on cli works correctly:

ldapsearch -x -D inetwork -W -b DC=office,DC=company,DC=com -s sub '(& (objectClass=User) (memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com))' sAMAccountName
Enter LDAP Password:

and I get all samaccountname from the group

but ldap2pg still returns error:

[ldap2pg.ldap         DEBUG] Doing: ldapsearch -x -D inetwork -W -b DC=office,DC=company,DC=com -s sub '(& (objectClass=User) (memberOf=CN=SQL-DBA,OU=SQL Groups,DC=office,DC=company,DC=com))' sAMAccountName
[ldap2pg.script       CRITI] Failed to query LDAP: {'desc': 'Operations error', 'info': '000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580'}.

Note: if I use only the directive base with a single distinguished name I don't have error and get the samAccountName

- ldap:
    base: CN=My Name,OU=It Group,OU=Network,DC=office,DC=company,DC=com
  role:
    name_attribute: sAMAccountName
    options: LOGIN SUPERUSER

[datinho]

Hi @bersace, I've found the root problem, it's due to referral that is handled differently between LDAP and AD.
ref: https://stackoverflow.com/questions/18793040/python-ldap-not-able-to-bind-successfully

Adding at line 206 of ldap.py:
conn.set_option(ldap.OPT_REFERRALS, 0)
the filter works correctly.

After that I've faced to another problem because the ldapsearch had returne dall users of group and mutiple search reference:
# search reference
ref: ldap://ForestDnsZones.office.company.com/DC=ForestDnsZones,DC=office,DC=company,DC=com
# search reference
ref: ldap://DomainDnsZones.office.company.com/DC=DomainDnsZones,DC=office,DC=company,DC=com
# search reference
ref: ldap://office.company.com/CN=Configuration,DC=office,DC=company,DC=com

so I've added a check at line 52 to avoid to add empty entries.
Here's a gist with the files that I've modified
https://gist.github.com/datinho/d73b7d2ae22872125972b236eee126a3

I hope that could be useful.

[bersace]

@datinho you're awesome ! I'll check this asap !

[bersace]

@datinho Do you feel confident to submit a pull request? :-)

[bersace]

Let's close. Thanks @datinho !

[thda]

Hi,

with the fix setting referrals in the config to 'False', false, False of 'false' cannot deactivate referrals..
I suggest:

conn.set_option(ldap.OPT_REFERRALS, int(options.get('REFERRALS', False)))

Can you please have a look ?

Thanks

[bersace]

Hi @thda . Thanks for the point. Can you review #261 ?

[thda]

Thanks for looking into it.

I do not think it works.
The yaml config option will not be taken into account:
In gather_options, "if k.upper() in options and v" => if v is false nothing is set, I think.
Also, export LDAPREFERRALS=0 work, but export LDAPREFERRALS=off gives ValueError: invalid literal for int() with base 10: 'off'.

I can't tell why.

[bersace]

@thda, can you show me a snippet of YAML ?

[thda]

Hi @bersace,

I've tested #261 and it now fixes my issue.

Many thanks,
Thomas