LDAP group membership

viktor_g

https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html#group-membership:
For pfSense to see a group from LDAP, a local group must exist on pfSense with an identical name to the group on the LDAP server.

also check this: https://redmine.pfsense.org/issues/9527

maxxer

@viktor_g I did spot the docs about the required group, but didn't about the patch! Thank you, I'll upgrade and see if it's fixed.

maxxer

@viktor_g I've upgraded pfSense to latest stable 2.4.5 and, with my disappointment, a patch merged nearly one year ago isn't present yet :(
I manually patched auth.inc but I'm still unable to filter users by group.
If I disable the Extended query param and perform a test auth pfSense now fetches user groups.

But if I add (&(objectClass=posixGroup)(cn=openvpn)(memberUid=*)) to the extended query filter in order to restrict only users in the openvpn group then auth will fail.

viktor_g

@maxxer can you show your server's LDAP group object in LDIF format?

maxxer

@viktor_g here it is:

dn: cn=openvpn,ou=Groups,dc=domain,dc=it
objectClass: sambaGroupMapping
objectClass: posixGroup
sambaGroupType: 2
sambaSID: S-1-5-21-446527113-4133352199-1973987425-21005
gidNumber: 10002
cn: openvpn
memberUid: tizi.caio
memberUid: yetopen
structuralObjectClass: posixGroup
entryUUID: 5cad3dca-f631-1039-949d-3979f74ed655
creatorsName: cn=admin,dc=domain,dc=it
createTimestamp: 20200309090901Z
entryCSN: 20200831131707.214353Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=it
modifyTimestamp: 20200831131707Z

sysgone

Hi,
every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:

example:
filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"

filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."

Why if attributes != memberuid, they are changed to "?attribute" ?
This is probably why the groups are not showing up :/

viktor_g

@sysgone Please provide more info about your configuration and create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html

fabriciogcbh

@sysgone

@sysgone said in LDAP group membership:

Hi,
every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:

example:
filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"

filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."

Why if attributes != memberuid, they are changed to "?attribute" ?
This is probably why the groups are not showing up :/

Hi, I'm having the same problem, has anyone found a solution?

Today I have my openvpn and firewall in separate services on bsd, everything works perfectly, but it's an old machine, I need to update the services, I'm migrating to pfsense, and I can't manage the filter by groups.
I installed version 2.7.0 of pfsense, I found several videos and documents of people using the "extended query", but they were all Microsoft AD.

I use Openldap, monitoring the ldap server, I saw that the extended query for the group goes together with the user filter, because of this all the rules fail authentication

I have tested user filters and it works well.
No group filter parameters work.

stephenw10

This?: https://redmine.pfsense.org/issues/13093

fabriciogcbh

@stephenw10 said in LDAP group membership:

This?: https://redmine.pfsense.org/issues/13093

This is exactly my problem, surprised to be on the list for a year.

Based on Jim Pingle's solution, I made several attempts, even using Apache Directory Studio, I came up with a solution,

Jim Pingle Solution
&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=) --> doesn't work for me
&(objectClass=posixGroup)(cn=VPNUsers)(member=) --> works for me

Jim Pingle Result
(&(memberUid=jimp)(&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=*)))

My result
(&(member=uid=jimp,ou=people,dc=myserver,dc=example,dc=com)(&(objectClass=posixGroup)(cn=VPNUsers)(member=*)))

Detail that I needed to change,
Group member Attribute = member
Didn't work with memberOf or memberUid

My version
OpenLDAP: slapd (May 23 2018 04:25:19) $
Debian OpenLDAP Maintainers

Thank you very much for your feedback

stephenw10

Nice result!

fabriciogcbh

@fabriciogcbh said in LDAP group membership:

correcting a flaw in the post. it looks like the site removed characters. I couldn't edit, editing timed out.

Jim Pingle Solution
doesn't work for me

&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=*)

works for me

&(objectClass=posixGroup)(cn=VPNUsers)(member=*)