xupetas@alien.top

xupetas@alien.top

Hello All,

I have been following the Howtos on how to connect authelia to freeipa, and can now connect an authenticate without any issue.However, if i set the filter for a particular ldap group i get permission denied.My configuration is as follows:

Authelia bit:

authentication_backend:
disable_reset_password: false

ldap:
implementation: custom
url: ldaps://ipa.net.xpto:33636
timeout: 5s
start_tls: false
tls:
server_name: ipa.net.xpto
skip_verify: true
minimum_version: TLS1.2
base_dn: dc=net,DC=xpto
username_attribute: uid
additional_users_dn: CN=users,CN=accounts
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
additional_groups_dn: OU=groups
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: UID=authelia,CN=users,CN=accounts,DC=net,DC=xpto
password: "myveryawsomeanddificultpassword"

My configuration bit for the filters:

access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: "``auth.mysite.com``"
policy: bypass

- domain: lab.mysite.com
subject: "group:netshare_kb.mysite.com"
policy: two_factor

If i remove the subject: "group:netshare_kb.mysite.com" i can authenticate without any issue.

For the log bits:

time="2023-11-13T07:06:56Z" level=trace msg="Request hit" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Detected user filter is (&(|(uid=nuno)(mail=nuno))(objectClass=person))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing user search" attr="[uid mail displayName]" base_dn="CN=users,CN=accounts,dc=net,DC=xpto" deref=0 filter="(&(|(uid=nuno)(mail=nuno))(objectClass=person))" scope=2
time="2023-11-13T07:06:56Z" level=debug msg="Mark 1FA authentication attempt made by user 'nuno'" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Successful 1FA authentication attempt made by user 'nuno'" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Detected user filter is (&(|(uid=nuno)(mail=nuno))(objectClass=person))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing user search" attr="[uid mail displayName]" base_dn="CN=users,CN=accounts,dc=net,DC=xpto" deref=0 filter="(&(|(uid=nuno)(mail=nuno))(objectClass=person))" scope=2
time="2023-11-13T07:06:56Z" level=trace msg="Computed groups filter is (&(member=uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing group search" attr="[cn]" base_dn="OU=groups,dc=net,DC=xpto" deref=0 filter="(&(member=uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))" scope=2
time="2023-11-13T07:06:56Z" level=trace msg="Profile details for user 'nuno' => groups: [], emails [nuno@mysite.com]" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Check authorization of subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )."
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:56Z" level=debug msg="No matching rule for subject username=nuno groups= ip=1.3.5.7 and url https://lab.mysite.com/ (method ) applying default policy"
time="2023-11-13T07:06:56Z" level=debug msg="Required level for the URL https://lab.mysite.com/ is 3" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Redirection URL https://lab.mysite.com/ is safe" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Timing Attack Delay successful: true, exec duration: 126, avg execution duration: 1000, random delay ms: 73, total delay ms: 1073, actual delay ms: 947" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:57Z" level=trace msg="Replied (status=200)" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:57Z" level=trace msg="Request hit" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Headers=GET /api/verify HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\r\nHost: lab.mysite.com\r\nX-Original-Url: https://lab.mysite.com/\r\nX-Real-Ip: 127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Host: lab.mysite.com\r\nX-Forwarded-Uri: /\r\nX-Forwarded-Ssl: on\r\nAccept-Encoding: gzip\r\nCf-Ray: 82552ccf681701bd-CDG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nSec-Ch-Ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nUpgrade-Insecure-Requests: 1\r\nDnt: 1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-User: ?1\r\nSec-Fetch-Dest: document\r\nReferer: https://auth.mysite.com/\r\nAccept-Language: en\r\nCookie: authelia_session=1pajNRsjd!FqmlSKz$QZDKPTZpAGgdHR\r\nPriority: u=0, i\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip: 1.3.5.7\r\nCf-Ipcountry: PT\r\nVia: 1.1 lab.mysite.com\r\nX-Forwarded-Server: lab.mysite.com\r\n\r\n" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Using X-Original-URL header content as targeted site URL" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Inactivity report for user 'nuno'. Current Time: 1699859217, Last Activity: 1699859216, Maximum Inactivity: 7200." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Checking if we need check the authentication backend for an updated profile for nuno." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=debug msg="Check authorization of subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )."
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:57Z" level=debug msg="No matching rule for subject username=nuno groups= ip=127.0.0.1 and url https://lab.mysite.com/ (method ) applying default policy"
time="2023-11-13T07:06:57Z" level=info msg="Access to https://lab.mysite.com/ is forbidden to user nuno" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Replied (status=403)" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Request hit" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Headers=GET /api/verify HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\r\nHost: lab.mysite.com\r\nX-Original-Url: https://lab.mysite.com/favicon.ico\r\nX-Real-Ip: 127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Host: lab.mysite.com\r\nX-Forwarded-Uri: /favicon.ico\r\nX-Forwarded-Ssl: on\r\nAccept-Encoding: gzip\r\nCf-Ray: 82552cd0e98301bd-CDG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nSec-Ch-Ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\r\nDnt: 1\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nAccept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: image\r\nReferer: https://lab.mysite.com/\r\nAccept-Language: en\r\nCookie: authelia_session=1pajNRsjd!FqmlSKz$QZDKPTZpAGgdHR\r\nPriority: u=1, i\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip: 1.3.5.7\r\nCf-Ipcountry: PT\r\nVia: 1.1 lab.mysite.com\r\nX-Forwarded-Server: lab.mysite.com\r\n\r\n" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Using X-Original-URL header content as targeted site URL" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Inactivity report for user 'nuno'. Current Time: 1699859218, Last Activity: 1699859217, Maximum Inactivity: 7200." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Checking if we need check the authentication backend for an updated profile for nuno." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=debug msg="Check authorization of subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )."
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )"
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )"
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )"
time="2023-11-13T07:06:58Z" level=debug msg="No matching rule for subject username=nuno groups= ip=127.0.0.1 and url https://lab.mysite.com/favicon.ico (method ) applying default policy"
time="2023-11-13T07:06:58Z" level=info msg="Access to https://lab.mysite.com/favicon.ico is forbidden to user nuno" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Replied (status=403)" method=GET path=/api/verify remote_ip=127.0.0.1

So, it shows that i can log-on without issues, but it also appears that it cannot find the group, netshare_kb.mysite.com but the group is valid and active with-in ipa. I can see using ldapsearch that the user is also within that group:

dn: cn=netshare_kb.mysite.com,cn=groups,cn=accounts,dc=net,dc=xpto
cn: netshare_kb.mysite.com
description: Acesso a KB
gidNumber: 848450507
ipaUniqueID: b10d7d2e-a765-11e6-b189-02002e0f7ea7
member: uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto
objectClass: ipaobject
objectClass: top
objectClass: ipausergroup
objectClass: posixgroup
objectClass: groupofnames
objectClass: nestedgroup

What am i missing? I am on the latest freeipa and authelia versions.Thanks for your help

Authelia + FreeIPA

Authelia + FreeIPA