LDAP - Exported variable - Sessions Opening conditions
Concerned version
Version: 1.9.15
Problem
We,re moving from another solution and i’m trying to keep the same LDAP configuration (no pwdMaxAge, pwdExpireWarning etc..). We manage this somewhere else and update the « pwdMustChange » attribute when needed. So i’m looking for a way to show a specific message when the value is « true ».
I was thinking about a Session Opening condition, but it’s seem we can’t use a LDAP Exported variable there.
I found this with the Perl in debug:
Logs - With Exported Variable condition
Lemonldap::NG::Portal::SharedConf: Evaluation result: xxxx
Lemonldap::NG::Portal::SharedConf: processing to sub setGroups
Lemonldap::NG::Portal::SharedConf: Searching LDAP groups in cn=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxx for xxxx
Lemonldap::NG::Portal::SharedConf: Group search filter: (&(objectClass=xxxx)(|(memberUid=xxxx)))
Lemonldap::NG::Portal::SharedConf: Matching group cn=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxx found
Lemonldap::NG::Portal::SharedConf: Store values of cn in group clientele
Lemonldap::NG::Portal::SharedConf: processing to sub setPersistentSessionInfo
Lemonldap::NG::Portal::SharedConf: Persistent session found for xxxx
Lemonldap::NG::Portal::SharedConf: Restore persistent parameter loginHistory
Lemonldap::NG::Portal::SharedConf: processing to sub setLocalGroups
Lemonldap::NG::Portal::SharedConf: processing to sub sendPasswordMail
Lemonldap::NG::Portal::SharedConf: processing to sub authenticate
Lemonldap::NG::Portal::SharedConf: processing to sub userNotice
/usr/share/perl5/Lemonldap/NG/Common/CGI.pm 305:
Lemonldap::NG : Good authentication for xxxx by LDAP (xxxx)
Lemonldap::NG::Portal::SharedConf: processing to sub authFinish
Lemonldap::NG::Portal::SharedConf: Unbind and disconnect from ldaps://xxxx
Lemonldap::NG::Portal::SharedConf: processing to sub userDBFinish
Lemonldap::NG::Portal::SharedConf: processing to sub passwordDBFinish
Lemonldap::NG::Portal::SharedConf: processing to sub grantSession
Lemonldap::NG::Portal::SharedConf: Grant session condition "$pwdMustChange eq "false"##MDP_EXPIRE" checked
Lemonldap::NG::Portal::SharedConf: Evaluate expression: $self->{p}->{sessionInfo}->{pwdMustChange} eq "false"##MDP_EXPIRE
Lemonldap::NG::Portal::SharedConf: Evaluation result:
/usr/share/perl5/Lemonldap/NG/Portal/Simple.pm 2493:
User xxxx was not granted to open session
Lemonldap::NG::Portal::SharedConf: Evaluate expression: EXPIRE_MSG
Lemonldap::NG::Portal::SharedConf: Evaluation result: EXPIRE_MSG
Lemonldap::NG::Portal::SharedConf: Current login saved into failedLogin
Lemonldap::NG::Portal::SharedConf: Use customized message EXPIRE_MSG for error 41
Lemonldap::NG::Portal::SharedConf: Use customized message EXPIRE_MSG for error 41
Logs - With group condition
Lemonldap::NG::Portal::SharedConf: Evaluation result: xxxx
Lemonldap::NG::Portal::SharedConf: processing to sub setGroups
Lemonldap::NG::Portal::SharedConf: Searching LDAP groups in ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxx for xxxx
Lemonldap::NG::Portal::SharedConf: Group search filter: (&(objectClass=xxxx)(|(memberUid=xxxx)))
Lemonldap::NG::Portal::SharedConf: Matching group cn=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxx found
Lemonldap::NG::Portal::SharedConf: Store values of cn in group xxxx
Lemonldap::NG::Portal::SharedConf: processing to sub setPersistentSessionInfo
Lemonldap::NG::Portal::SharedConf: Persistent session found for xxxx
Lemonldap::NG::Portal::SharedConf: Restore persistent parameter loginHistory
Lemonldap::NG::Portal::SharedConf: processing to sub setLocalGroups
Lemonldap::NG::Portal::SharedConf: processing to sub sendPasswordMail
Lemonldap::NG::Portal::SharedConf: processing to sub authenticate
Lemonldap::NG::Portal::SharedConf: processing to sub userNotice
/usr/share/perl5/Lemonldap/NG/Common/CGI.pm 305:
Lemonldap::NG : Good authentication for xxxx by LDAP (xxxx)
Lemonldap::NG::Portal::SharedConf: processing to sub authFinish
Lemonldap::NG::Portal::SharedConf: Unbind and disconnect from ldaps://xxxx
Lemonldap::NG::Portal::SharedConf: processing to sub userDBFinish
Lemonldap::NG::Portal::SharedConf: processing to sub passwordDBFinish
Lemonldap::NG::Portal::SharedConf: processing to sub grantSession
Lemonldap::NG::Portal::SharedConf: Grant session condition "$groups =~ /\\bxxxx\\b/##MDP_EXPIRE" checked
Lemonldap::NG::Portal::SharedConf: Evaluate expression: $self->{p}->{sessionInfo}->{groups} =~ /\\bxxxx\\b/##MDP_EXPIRE
Lemonldap::NG::Portal::SharedConf: Evaluation result: 1
Lemonldap::NG::Portal::SharedConf: processing to sub userNotice
/usr/share/perl5/Lemonldap/NG/Common/CGI.pm 305:
Lemonldap::NG : Session granted for xxxx (xxxx)
Lemonldap::NG::Portal::SharedConf: Current login saved into successLogin
Lemonldap::NG::Portal::SharedConf: processing to sub removeOther
Lemonldap::NG::Portal::SharedConf: processing to sub store
Lemonldap::NG::Portal::SharedConf: Inform Apache about the user connected
Lemonldap::NG::Portal::SharedConf: Try to get a new SSO session
Lemonldap::NG::Portal::SharedConf: Return SSO session 95786fb3ae6428b42c6d5bfa9af61933390854364cb9c863c968d9f53804a64d
Lemonldap::NG::Portal::SharedConf: Store uid=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxx in session key dn
Lemonldap::NG::Portal::SharedConf: Store -4 in session key _timezone
Lemonldap::NG::Portal::SharedConf: Store LDAP in session key _passwordDB
Lemonldap::NG::Portal::SharedConf: Store xxxx in session key groups
Lemonldap::NG::Portal::SharedConf: Store 20180327152124 in session key startTime
Lemonldap::NG::Portal::SharedConf: Store 1522178484 in session key _lastSeen
Lemonldap::NG::Portal::SharedConf: Store in session key pwdMaxFailure
Lemonldap::NG::Portal::SharedConf: Store https://xxxx.xxxx// in session key _url
Lemonldap::NG::Portal::SharedConf: Store xxxx in session key ipAddr
Lemonldap::NG::Portal::SharedConf: Store 3 in session key authenticationLevel
Lemonldap::NG::Portal::SharedConf: Store xxxx in session key _user
Lemonldap::NG::Portal::SharedConf: Store HASH(0x7fe3754b7130) in session key loginHistory
Lemonldap::NG::Portal::SharedConf: Dump: $VAR1 = {'successLogin' => [{'ipAddr' => 'xxxx','_utime' => 1522178484},{'ipAddr' => 'xxxx','_utime' => 1522172153},{'ipAddr' => 'xxxx','_utime' => 1522172094},{'ipAddr' => 'xxxx','_utime' => 1522170309},{'ipAddr' => 'xxxx','_utime' => 1522170207}],'failedLogin' => [{'ipAddr' => 'xxxx','_utime' => 1522178369,'error' => 'EXPIRE_MSG'},{'ipAddr' => 'xxxx','_utime' => 1522178361,'error' => 'EXPIRE_MSG'},{'ipAddr' => 'xxxx','_utime' => 1522178291,'error' => 'EXPIRE_MSG'},{'ipAddr' => 'xxxx','_utime' => 1522174334,'error' => 'EXPIRE_MSG'},{'ipAddr' => 'xxxx','_utime' => 1522174326,'error' => 'EXPIRE_MSG'}]};
Lemonldap::NG::Portal::SharedConf: Store LDAP in session key _auth
Lemonldap::NG::Portal::SharedConf: Store 1522178484 in session key _lastAuthnUTime
Lemonldap::NG::Portal::SharedConf: Store FALSE in session key pwdMustChange
The debug show that exported variable got stored in the session (requested at this moment?), but this is after the condition validation... right ?
Any idea ?
PS: It’s working if we use access rule of a virtual host, but it generate “You have no access authorization for this application” message.
Thanks
Possible fixes
Query LDAP Exported Variable at the same time has the LDAP GROUP membership ?