Hello All,
I have been following the Howtos on how to connect authelia to freeipa, and can now connect an authenticate without any issue.However, if i set the filter for a particular ldap group i get permission denied.My configuration is as follows:
Authelia bit:
authentication_backend:
disable_reset_password: false
ldap:
implementation: custom
url: ldaps://ipa.net.xpto:33636
timeout: 5s
start_tls: false
tls:
server_name: ipa.net.xpto
skip_verify: true
minimum_version: TLS1.2
base_dn: dc=net,DC=xpto
username_attribute: uid
additional_users_dn: CN=users,CN=accounts
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
additional_groups_dn: OU=groups
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: UID=authelia,CN=users,CN=accounts,DC=net,DC=xpto
password: "myveryawsomeanddificultpassword"
My configuration bit for the filters:
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: "``auth.mysite.com``"
policy: bypass
- domain:
lab.mysite.com
subject: "group:netshare_kb.mysite.com"
policy: two_factor
If i remove the subject: "group:netshare_kb.mysite.com"
i can authenticate without any issue.
For the log bits:
time="2023-11-13T07:06:56Z" level=trace msg="Request hit" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Detected user filter is (&(|(uid=nuno)(mail=nuno))(objectClass=person))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing user search" attr="[uid mail displayName]" base_dn="CN=users,CN=accounts,dc=net,DC=xpto" deref=0 filter="(&(|(uid=nuno)(mail=nuno))(objectClass=person))" scope=2
time="2023-11-13T07:06:56Z" level=debug msg="Mark 1FA authentication attempt made by user 'nuno'" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Successful 1FA authentication attempt made by user 'nuno'" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Detected user filter is (&(|(uid=nuno)(mail=nuno))(objectClass=person))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing user search" attr="[uid mail displayName]" base_dn="CN=users,CN=accounts,dc=net,DC=xpto" deref=0 filter="(&(|(uid=nuno)(mail=nuno))(objectClass=person))" scope=2
time="2023-11-13T07:06:56Z" level=trace msg="Computed groups filter is (&(member=uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing group search" attr="[cn]" base_dn="OU=groups,dc=net,DC=xpto" deref=0 filter="(&(member=uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))" scope=2
time="2023-11-13T07:06:56Z" level=trace msg="Profile details for user 'nuno' => groups: [], emails [nuno@mysite.com]" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Check authorization of subject username=nuno groups= ip=
1.3.5.7
and object
https://lab.mysite.com/
(method )."
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=
1.3.5.7
and object
https://lab.mysite.com/
(method )"
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=
1.3.5.7
and object
https://lab.mysite.com/
(method )"
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=
1.3.5.7
and object
https://lab.mysite.com/
(method )"
time="2023-11-13T07:06:56Z" level=debug msg="No matching rule for subject username=nuno groups= ip=
1.3.5.7
and url
https://lab.mysite.com/
(method ) applying default policy"
time="2023-11-13T07:06:56Z" level=debug msg="Required level for the URL
https://lab.mysite.com/
is 3" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Redirection URL
https://lab.mysite.com/
is safe" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Timing Attack Delay successful: true, exec duration: 126, avg execution duration: 1000, random delay ms: 73, total delay ms: 1073, actual delay ms: 947" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:57Z" level=trace msg="Replied (status=200)" method=POST path=/api/firstfactor remote_ip=
1.3.5.7
time="2023-11-13T07:06:57Z" level=trace msg="Request hit" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Headers=GET /api/verify HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\r\nHost:
lab.mysite.com
\r\nX-Original-Url:
https://lab.mysite.com/\r\nX-Real-Ip:
127.0.0.1
\r\nX-Forwarded-For:
127.0.0.1
\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Host:
lab.mysite.com
\r\nX-Forwarded-Uri: /\r\nX-Forwarded-Ssl: on\r\nAccept-Encoding: gzip\r\nCf-Ray: 82552ccf681701bd-CDG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nSec-Ch-Ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nUpgrade-Insecure-Requests: 1\r\nDnt: 1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-User: ?1\r\nSec-Fetch-Dest: document\r\nReferer:
https://auth.mysite.com/\r\nAccept-Language:
en\r\nCookie: authelia_session=1pajNRsjd!FqmlSKz$QZDKPTZpAGgdHR\r\nPriority: u=0, i\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip:
1.3.5.7
\r\nCf-Ipcountry: PT\r\nVia: 1.1
lab.mysite.com
\r\nX-Forwarded-Server:
lab.mysite.com
\r\n\r\n" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Using X-Original-URL header content as targeted site URL" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Inactivity report for user 'nuno'. Current Time: 1699859217, Last Activity: 1699859216, Maximum Inactivity: 7200." method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Checking if we need check the authentication backend for an updated profile for nuno." method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:57Z" level=debug msg="Check authorization of subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/
(method )."
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/
(method )"
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/
(method )"
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/
(method )"
time="2023-11-13T07:06:57Z" level=debug msg="No matching rule for subject username=nuno groups= ip=
127.0.0.1
and url
https://lab.mysite.com/
(method ) applying default policy"
time="2023-11-13T07:06:57Z" level=info msg="Access to
https://lab.mysite.com/
is forbidden to user nuno" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Replied (status=403)" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Request hit" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Headers=GET /api/verify HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\r\nHost:
lab.mysite.com
\r\nX-Original-Url:
https://lab.mysite.com/favicon.ico\r\nX-Real-Ip:
127.0.0.1
\r\nX-Forwarded-For:
127.0.0.1
\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Host:
lab.mysite.com
\r\nX-Forwarded-Uri: /favicon.ico\r\nX-Forwarded-Ssl: on\r\nAccept-Encoding: gzip\r\nCf-Ray: 82552cd0e98301bd-CDG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nSec-Ch-Ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\r\nDnt: 1\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nAccept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: image\r\nReferer:
https://lab.mysite.com/\r\nAccept-Language:
en\r\nCookie: authelia_session=1pajNRsjd!FqmlSKz$QZDKPTZpAGgdHR\r\nPriority: u=1, i\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip:
1.3.5.7
\r\nCf-Ipcountry: PT\r\nVia: 1.1
lab.mysite.com
\r\nX-Forwarded-Server:
lab.mysite.com
\r\n\r\n" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Using X-Original-URL header content as targeted site URL" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Inactivity report for user 'nuno'. Current Time: 1699859218, Last Activity: 1699859217, Maximum Inactivity: 7200." method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Checking if we need check the authentication backend for an updated profile for nuno." method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=debug msg="Check authorization of subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/favicon.ico
(method )."
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/favicon.ico
(method )"
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/favicon.ico
(method )"
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=
127.0.0.1
and object
https://lab.mysite.com/favicon.ico
(method )"
time="2023-11-13T07:06:58Z" level=debug msg="No matching rule for subject username=nuno groups= ip=
127.0.0.1
and url
https://lab.mysite.com/favicon.ico
(method ) applying default policy"
time="2023-11-13T07:06:58Z" level=info msg="Access to
https://lab.mysite.com/favicon.ico
is forbidden to user nuno" method=GET path=/api/verify remote_ip=
127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Replied (status=403)" method=GET path=/api/verify remote_ip=
127.0.0.1
So, it shows that i can log-on without issues, but it also appears that it cannot find the group, netshare_kb.mysite.com
but the group is valid and active with-in ipa. I can see using ldapsearch that the user is also within that group:
dn: cn=netshare_kb.mysite.com,cn=groups,cn=accounts,dc=net,dc=xpto
cn: netshare_kb.mysite.com
description: Acesso a KB
gidNumber: 848450507
ipaUniqueID: b10d7d2e-a765-11e6-b189-02002e0f7ea7
member: uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto
objectClass: ipaobject
objectClass: top
objectClass: ipausergroup
objectClass: posixgroup
objectClass: groupofnames
objectClass: nestedgroup
What am i missing? I am on the latest freeipa and authelia versions.Thanks for your help
Nope. I have moved away several years ago from pfsense and could not be happier. I am running production off a 2 node, 24 vlan cluster and it’s rock solid