How to use OpenLDAP members groups
-
-
You need to have 'Groups' selected there to authenticate users from that.
-
I tested all that several times.
If i only select ou=groups,dc=domain,dc=orgI get ...
If i select all 3 of the options then pfSense picks only the ou=people,dc=domain,dc=org and authenticating is succesful but then those cn=users and cn=vpnusers are not used.
I want only authenticate against cn=vpnusers,ou=group,dc=domain,dc=org
If i only select that option i again get ...
The only way to get a successful authentication is against the users in ou=groups,dc=domain,dc=org
I tried many different settings today i found online.
Only that second option works,
But then i cannot use different member groups only the users that are in ou=peopleI did'nt know what to try next so i thought i try netgate forums.
-
Hmm, odd. I'd expect those two ous to behave the same. I can see why it would be a problem if you have both selected and the same users in each.
Slightly confused though because you seem to say above that selecting only ou=groups,dc=domain,dc=org both fails and is the only way to successfully authenticate?
-
Sorry if i am a bit confusing in the above posts.
I try to be more clear.
English is not my main language so i do my best
As you can see on the pictures i only have 2 OUs People and Groups.
I created 2 normal and 1 admin users in ou=People.Then i created 3 groups in ou=Groups.
My plan is to use those CN groups (in ou=groups) to authorize several services to the users by adding the users to one or more of those cn groups (cn=users & cn=vpnusers & cn=admins).
As an example i added users to the cn=vpnusers so i could give them access to de pfSense OpenVPN server.
And the admin user i added to the cn=admins group to give him/them admin access to pfSense.But those groups under ou=Groups ar not selectable / configurable in pfSense or not that i know off how to do that.
Only ou=People,dc=domain,dc=org is successful authenticating in "Diagnostics / Authentication" and the OpenVPN server.
It doesn't matter of i enable or disable the other containers (cn=users / cn=vpnusers) they don't work.
I added different users to those cn groups to test them separately so i know for sure which one does or doesn't work and both don't work.Although the cn=users and cn=vpnusers is seen by pfSense as you can see in one of the images from earlier i can not do anything with them like configure OpenVPN server to use for example the cn=vpnusers to authenticate a member user of that group. Or i just don't know yet how to do that.
Just like "Diagnostics / Authentication" also OpenVPN server works successfully with users in ou=People,dc=domain,dc=org.
cn=users,ou=Groups,dc=domain,dc=org or cn=vpnusers,ou=Groups,dc=domain,dc=org does not work.Or wel maybe it does and i just don't know jet how to do it, how to configure it.
That is what i hope to learn. -
When i configure the LDAP server in pfSense with only the cn=vpnusers like in this image and i make one of the ou=People,dc=domain,dc=org users member of that group then auth test gives unsuccessful.
-
But that does work for the same group in ou=People?
-
I don't have groups in ou=people only users.
The single only thing that works is ...
But this way i cannot select different services per user, what i would like to be able to do.
If i only need users to authenticate then i can do that with my radius server then i don't need a ldap server.
I was hoping i could do more with a ldap server like authenticate against group members. -
Hmm, so what were you testing initially where the LDAP sever is returning groups for a user when it authenticates?
-
If i have ou=People,dc=domain,dc=org configured then i can successfully authenticate users in ou=people with "Diagnostics > Authentication" and also the OpenVPN server.
pfSense then also recognizes if the user is a member of one or more groups.
It would be great if i could use those memberships of, for example, cn=vpnusers to authorize access to the OpenVPN server.
-
I don't believe you can do that directly for OpenVPN as there's no specific privilege required to allow a login. There is for Captive Portal login and IPSec Xauth so you can use it there.
You would need to configure an LDAP server instance that queried on users in that group.
But I have no idea why that doesn't work for the ou=Groups when it appears everything else is the same. Something must not be the same.
-
That is a pity.
Would be great if we could do things like that.
Thanks a lot for thinking along with me
-
Oke i think i fixed it.
I don't know if this is what fixed it but i installed and configured the memberOf overlay module in OpenLDAP.
I am going to test with a backup vm of my OpenLDAP without the memberOf overlay to see if this module is really needed.Anyhow with the settings i have now (see the image below) i can add and remove users from the cn=vpnusers group and authorize users with that.
I tested it with several different members in the cn=vpnusers group.
-
Aha! Nice catch.
-
Oke i tested it with a backuped VM of my OpenLDAP server and the memberOf overlay module is not needed it stil works without that module
๐ฅณ
