As a follow-up, here is how I got it working.
I am using OpenLDAP and FreeRADIUS on FreeBSD 14. I'm not documenting here how to get LDAP authentication working with FreeRADIUS, I'm presuming that is already done. Additionally, my LDAP schema has all users under the name
ou=people, ou=domain, ou=com
and groups in
ou=groups, ou=domain, ou=com
I do not have memberof enabled. I'm using MSCHAPv2 authentication in pfsense's RADIUS configuration.
In /usr/local/etc/raddb/mods-enabled/ldap use these settings in the "group" section
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
scope = 'sub'
name_attribute = cn
membership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"
cacheable_name = 'yes'
In /usr/local/etc/raddb/sites-available/default add this in the "post-auth" section
update reply {
Class += "%{exec:/bin/sh /usr/local/etc/raddb/ldap_fix.sh %{control:LDAP-Group[*]}}"
}
The exec module is used. Ensure that in /usr/local/etc/raddb/mods-available/exec, "wait" is set to "yes"
wait = yes
Finally, I used tr to convert the comma-delimited list of groups in "%{control:LDAP-Group[*]}" to semi-colon delimited. The file /usr/local/etc/raddb/ldap_fix.sh looks like this
#!/bin/sh
#
# turn comma-delimited list of groups into semi-colon delimited list of groups
#
echo "${1}" | tr "," ";"
Using the pfsense authentication tester (Diagnostics > Authentication ) I can now see the list of groups users are a member of. Note that the groups need to also be present in pfsense (System > User Manager).
