Re: Need help clearing default strings from ldap_filter

jdehnert1 · ‎07-13-2023

I am trying to set up the authentication proxy to connect to an open ldap server. The authproxy_connectivity_tool is telling me that I’m not getting any search results because of my ldap filter. The meaning full section is…

The Auth Proxy did not get results searching for users in DN dc=cluster,dc=local using the filter (&(|(&(objectClass=user)(objectCategory=person))(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(&(objectCass=posixAccount)(memberOf=cn=duo,ou=Group,dc=cluster,dc=local)))

I have the ldap_filter set to…

ldap_filter=(&(objectCass=posixAccount)(memberOf=cn=duo,ou=Group,dc=cluster,dc=local))

If I don’t set the filter, it defaults to

(&(|(&(objectClass=user)(objectCategory=person))(objectClass=inetOrgPerson)(objectClass=organizationalPerson))

Should I trim the filter down to just (objectCass=posixAccount) and put memberOf=cn=duo,ou=Group,dc=cluster,dc=local under the security_group heading?

I just can’t get the proxy to not give me all the default filter.

Any suggestions are appreciated.

Thanks,
James “Zeke” Dehnert

DuoKristina · ‎07-14-2023

Is it worth pointing out that you put objectCass=posixAccount instead of objectClass=posixAccount multiple times into your post so maybe you have the same typo in your actual authproxy.cfg?

Duo, not DUO.

jdehnert1 · ‎07-14-2023

Thanks DuoKristina. I did in fact have a typo, but fixing it hasn’t changed the behavior!

Can anyone explain why the client insists on adding

(|(&(objectClass=user)(objectCategory=person))(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(objectClass=posixAccount))

to any and all querries to the Ldap server?

Thanks,
James “Zeke” Dehnert

DuoKristina · ‎07-17-2023

Ah, I get it!

Yes, as you observed what's specified in ldap_filter is added to the proxy's default filter. Do your LDAP users not also have the objectClass inetOrgPerson?

Duo, not DUO.