[Freeipa-users] FreeIPA and Pulse Secure (Juniper SSLVPN)

[CFMS Support]

Hi Alexander,

Yes I see that as well actually, and when looking for a specific group I
get:

[12/Jan/2016:10:30:50 +0000] conn=30648 fd=114 slot=114 connection from
172.19.6.16 to 172.20.3.6
[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[12/Jan/2016:10:30:50 +0000] conn=30648 TLS1.2 128-bit AES-GCM
[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 BIND
dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
method=128 version=3
[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 SRCH
base="cn=groups,cn=accounts,dc=identity,dc=cfms,dc=org,dc=uk" scope=2
filter="(cn=XXXXX)" attrs="memberOf"
[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 UNBIND
[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 fd=114 closed - U1

And that the directory server has returned one entry, however, the VPN
device doesn't see it and returns that the group is not found.

Kind Regards,

Josh Cullum


On Tue, Jan 12, 2016 at 10:30 AM Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Tue, 12 Jan 2016, CFMS Support wrote:
> >Hi Alexander,
> >
> >These are the entries from /var/log/dirsrv/slapd-<INSTANC>/access
> >
> >[12/Jan/2016:10:22:13 +0000] conn=30642 fd=128 slot=128 connection from
> >172.19.6.16 to 172.20.3.6
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=0 EXT
> >oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=0 RESULT err=0 tag=120
> >nentries=0 etime=0
> >[12/Jan/2016:10:22:13 +0000] conn=30642 TLS1.2 128-bit AES-GCM
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=1 BIND
> >dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
> >method=128 version=3
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=1 RESULT err=0 tag=97
> nentries=0
> >etime=0
> dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=2 SRCH
> >base="cn=groups,cn=accounts,dc=identity,dc=cfms,dc=org,dc=uk" scope=2
> >filter="(cn=*)" attrs="memberOf"
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=2 RESULT err=0 tag=101
> >nentries=145 etime=0
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=3 UNBIND
> >[12/Jan/2016:10:22:13 +0000] conn=30642 op=3 fd=128 closed - U1
> >
> >This is where it's searching for a group that exists but it doesn't return
> >any result.
> That's not what I see. I see a search for all groups (filter "(cn=*)")
> and retrieiving memberOf attribute of those. The result is 145 entries
> which have memberOf attribute set, all returned to the client. What
> client then does with this list is unknown.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160112/168bd947/attachment.htm>