Opening a ticket as requested on the FreeIPA users list: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/OAN6SUXSYIMRVIUU6DBRIILDCW5EV2HJ/
"ipa-pwd-extop reads wrong variable, so it doesn't get a rewritten bind DN pointing to the primary LDAP tree object. Instead, it reads compat tree object which doesn't have correct data it needs to use to authenticate."
This, along with some issues with the plugin priority in my schema, appears to cause problems with 2fa against the compat tree (users with mandatory 2fa are able to authenticate with only a password).
Users can bind via the compat tree can authenticate without providing a token code.
2fa should always be enforced.
ipa-server-4.5.4-10.el7.centos.1.x86_64 ipa-client-4.5.4-10.el7.centos.1.x86_64 389-ds-base-1.3.7.5-21.el7_5.x86_64 pki-ca-10.5.1-9.el7.noarch krb5-server-1.15.1-19.el7.x86_64
Log files didn't attach:
Access Log with password and 2fa
[30/May/2018:10:21:26.075901899 +0000] conn=25163 fd=183 slot=183 SSL connection from 172.25.0.14 to 193.63.72.98 [30/May/2018:10:21:26.117421253 +0000] conn=25163 TLS1.2 256-bit AES-GCM [30/May/2018:10:21:26.121916838 +0000] conn=25163 op=0 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.122685598 +0000] conn=25163 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0041605195 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:26.126405442 +0000] conn=25163 op=1 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)" attrs=ALL [30/May/2018:10:21:26.134445441 +0000] conn=25163 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0008214966 [30/May/2018:10:21:26.143921650 +0000] conn=25163 op=2 BIND dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.145498150 +0000] conn=25163 op=2 RESULT err=49 tag=97 nentries=0 etime=0.0001858480 - Invalid credentials [30/May/2018:10:21:26.149772263 +0000] conn=25163 op=3 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:26.150538751 +0000] conn=25163 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0000946441 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:30.950782865 +0000] conn=25163 op=4 UNBIND [30/May/2018:10:21:30.950833316 +0000] conn=25163 op=4 fd=183 closed - U1
Access log with password only
[30/May/2018:10:21:38.056017404 +0000] conn=25164 fd=156 slot=156 SSL connection from 172.25.0.14 to 193.63.72.98 [30/May/2018:10:21:38.096276825 +0000] conn=25164 TLS1.2 256-bit AES-GCM [30/May/2018:10:21:38.100674075 +0000] conn=25164 op=0 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.101414295 +0000] conn=25164 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0040230747 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.105289862 +0000] conn=25164 op=1 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(uid=adamb)" attrs=ALL [30/May/2018:10:21:38.116056435 +0000] conn=25164 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0011007183 [30/May/2018:10:21:38.120400753 +0000] conn=25164 op=2 BIND dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.122458980 +0000] conn=25164 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0002267568 dn="uid=adamb,cn=users,cn=accounts,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.126309118 +0000] conn=25164 op=3 BIND dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" method=128 version=3 [30/May/2018:10:21:38.127108622 +0000] conn=25164 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0001023469 dn="uid=opengear,cn=sysaccounts,cn=etc,dc=virt,dc=ja,dc=net" [30/May/2018:10:21:38.130813363 +0000] conn=25164 op=4 CMP dn="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" attr="uniquemember" [30/May/2018:10:21:38.130960657 +0000] conn=25164 op=4 RESULT err=53 tag=111 nentries=0 etime=0.0000308287 [30/May/2018:10:21:38.134644827 +0000] conn=25164 op=5 SRCH base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0 filter="(objectClass=*)" attrs="gidNumber" [30/May/2018:10:21:38.135140752 +0000] conn=25164 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0000733709 [30/May/2018:10:21:38.138916056 +0000] conn=25164 op=6 CMP dn="cn=opengear-dev-admins,cn=groups,cn=compat,dc=virt,dc=ja,dc=net" attr="gidNumber" [30/May/2018:10:21:38.139028891 +0000] conn=25164 op=6 RESULT err=53 tag=111 nentries=0 etime=0.0000308404 [30/May/2018:10:21:38.142852631 +0000] conn=25164 op=7 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))" attrs=ALL [30/May/2018:10:21:38.156708353 +0000] conn=25164 op=7 RESULT err=0 tag=101 nentries=24 etime=0.0014057156 [30/May/2018:10:21:38.167060727 +0000] conn=25164 op=8 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=user)(uid=adamb))" attrs="uniqueMember" [30/May/2018:10:21:38.168177702 +0000] conn=25164 op=8 RESULT err=0 tag=101 nentries=0 etime=0.0001377993 [30/May/2018:10:21:38.171969107 +0000] conn=25164 op=9 SRCH base="uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net" scope=0 filter="(objectClass=*)" attrs="gidNumber" [30/May/2018:10:21:38.172404602 +0000] conn=25164 op=9 RESULT err=0 tag=101 nentries=1 etime=0.0000586344 [30/May/2018:10:21:38.176342697 +0000] conn=25164 op=10 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(gidNumber=606000001))" attrs=ALL [30/May/2018:10:21:38.177966535 +0000] conn=25164 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0001848763 [30/May/2018:10:21:38.181958348 +0000] conn=25164 op=11 SRCH base="cn=compat,dc=virt,dc=ja,dc=net" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=adamb)(memberUid=uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net)))" attrs=ALL [30/May/2018:10:21:38.195375411 +0000] conn=25164 op=11 RESULT err=0 tag=101 nentries=24 etime=0.0013589918 [30/May/2018:10:21:38.217773131 +0000] conn=25164 op=12 UNBIND [30/May/2018:10:21:38.217822659 +0000] conn=25164 op=12 fd=156 closed - U1
Error log with level > 65535
[30/May/2018:13:13:14.793612423 +0000] - DEBUG - schema-compat-plugin - searching from "cn=compat,dc=virt,dc=ja,dc=net" for "(uid=adamb)" with scope 2 (sub) [30/May/2018:13:13:14.798987398 +0000] - DEBUG - schema-compat-plugin - search matched uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.806900240 +0000] - DEBUG - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.808973889 +0000] - DEBUG - schema-compat-plugin - sending error 0 [30/May/2018:13:13:14.814889099 +0000] - DEBUG - ipa-pwd-extop - failed to retrieve user entry: uid=adamb,cn=users,cn=compat,dc=virt,dc=ja,dc=net [30/May/2018:13:13:14.817384965 +0000] - DEBUG - ipa-lockout-plugin - preop returning 0: success
Plugin Priorities
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (nsslapd-pluginprecedence=*) # requesting: cn nsslapd-pluginprecedence # # IPA MODRDN, plugins, config dn: cn=IPA MODRDN,cn=plugins,cn=config cn: IPA MODRDN nsslapd-pluginprecedence: 60 # ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config cn: ipa-winsync nsslapd-pluginprecedence: 60 # ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config cn: ipa_pwd_extop nsslapd-pluginprecedence: 49 # Posix Winsync API, plugins, config dn: cn=Posix Winsync API,cn=plugins,cn=config cn: Posix Winsync API nsslapd-pluginprecedence: 25 # referential integrity postoperation, plugins, config dn: cn=referential integrity postoperation,cn=plugins,cn=config cn: referential integrity postoperation nsslapd-pluginprecedence: 40 # Retro Changelog Plugin, plugins, config dn: cn=Retro Changelog Plugin,cn=plugins,cn=config cn: Retro Changelog Plugin nsslapd-pluginprecedence: 25 # Schema Compatibility, plugins, config dn: cn=Schema Compatibility,cn=plugins,cn=config cn: Schema Compatibility nsslapd-pluginprecedence: 49 nsslapd-pluginprecedence: 40 # AES, Password Storage Schemes, plugins, config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config cn: AES nsslapd-pluginprecedence: 1 # search result search: 2 result: 0 Success # numResponses: 9 # numEntries: 8
Metadata Update from @abbra: - Issue assigned to abbra
@adambishop when you removed the precedence, did the bind started behave properly?
I'm asking because with a proper precedence for the compat plugin I get everything working just well. In the first ldapsearch I'm using password+token value as a password, in the second one I'm only providing the password.
# ipa user-show ab|grep authentication User authentication types: otp # ipa config-show|grep authentication Default user authentication types: password, otp # ldapsearch -x -b cn=compat,dc=xs,dc=ipa,dc=cool -D uid=ab,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool -W '(&(objectclass=posixAccount)(uid=ab))' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree # filter: (&(objectclass=posixAccount)(uid=ab)) # requesting: dn # # ab, users, compat, xs.ipa.cool dn: uid=ab,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # ldapsearch -x -b cn=compat,dc=xs,dc=ipa,dc=cool -D uid=ab,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool -W '(&(objectclass=posixAccount)(uid=ab))' dn Enter LDAP Password: ldap_bind: Invalid credentials (49)
If a duplicate/incorrect precedence between ipa-passwd-extop and schema-compat plugins was the real issue, then this ticket can be closed. Or reused to update IPA plugins to use SLAPI_TARGET_SDN value instead of the dn. And priority would be lower.
SLAPI_TARGET_SDN
dn
Yes, when I reset the precedence values it fixed my immediate issue, so this could be lower priority.
I'm closing this issue because it is solved for @adambishop but I'll open a separate one for IPA plugins modernization task.
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.