我可以毫无问题地搜索用户:
ldapsearch -h ldap.my.server.name -b "cn=vpnusers,ou=groups,dc=example,dc=com" -x "memberUid=myusername"
结果:
# extended LDIF
#
# LDAPv3
# base <cn=vpnusers,ou=groups,dc=example,dc=com> with scope subtree
# filter: memberUid=myusername
# requesting: ALL
#
# vpnusers, groups, example.com
dn: cn=vpnusers,ou=groups,dc=example,dc=com
gidNumber: 10000
description: Group account
cn: vpnusers
objectClass: posixGroup
memberUid: myusername
memberUid: someuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
所以我知道该条目在那里并且可以搜索。但是现在我正尝试使用插件使用 openvpn 搜索该auth-ldap组
这是我的 auth-ldap.conf运行良好(当RequireGroup=时false:
<LDAP>
URL ldap://ldap.my.server.name
Timeout 10
TLSEnable yes
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "ou=users,dc=example,dc=com"
SearchFilter "(uid=%u)"
RequireGroup false
<Group>
BaseDN "ou=groups,dc=example,dc=com"
SearchFilter "cn=vpnusers"
MemberAttribute memberUid
</Group>
</Authorization>
如果我将其更新为需要组搜索,则会失败:
<LDAP>
URL ldap://ldap.my.server.name
Timeout 10
TLSEnable yes
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "ou=users,dc=example,dc=com"
SearchFilter "(uid=%u)"
RequireGroup true
<Group>
BaseDN "ou=groups,dc=example,dc=com"
SearchFilter "cn=vpnusers"
MemberAttribute memberUid
</Group>
</Authorization>
openvpn服务器吐出的错误是:
Dec 6 18:54:37 openvpn01 openvpn: Thu Dec 6 18:54:37 2018 47.153.170.228:1194 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Dec 6 18:54:37 openvpn01 openvpn: Thu Dec 6 18:54:37 2018 47.153.170.228:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Dec 6 18:54:37 openvpn01 openvpn: Thu Dec 6 18:54:37 2018 47.153.170.228:1194 TLS Auth Error: Auth Username/Password verification failed for peer
如果我不使用该RequireGroup选项,则工作正常,因此我认为我的MemberAttribute或SearchFilter错了。有什么想法吗?以前有人遇到过这个问题吗?
答案1
我最近在尝试使用 JumpCloud 的 LDAP 服务时遇到了同样的问题。对我有用的方法是将搜索过滤器括在括号中:
searchFilter "(cn=vpnusers)"