Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to use OpenLDAP members groups

    Scheduled Pinned Locked Moved General pfSense Questions
    30 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gerard64 @Gerard64
      last edited by

      When i configure the LDAP server in pfSense with only the cn=vpnusers like in this image and i make one of the ou=People,dc=domain,dc=org users member of that group then auth test gives unsuccessful.

      dcd59640-eecb-4a0a-9327-db0043a23456-afbeelding.png

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        But that does work for the same group in ou=People?

        G 1 Reply Last reply Reply Quote 0
        • G
          Gerard64 @stephenw10
          last edited by Gerard64

          I don't have groups in ou=people only users.

          f936cc68-2c65-4684-96a1-4702798826b6-afbeelding.png

          The single only thing that works is ...

          8bf791fd-2087-4f54-b01a-46c92374b3d7-afbeelding.png

          But this way i cannot select different services per user, what i would like to be able to do.
          If i only need users to authenticate then i can do that with my radius server then i don't need a ldap server.
          I was hoping i could do more with a ldap server like authenticate against group members.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm, so what were you testing initially where the LDAP sever is returning groups for a user when it authenticates?

            G 1 Reply Last reply Reply Quote 0
            • G
              Gerard64 @stephenw10
              last edited by Gerard64

              If i have ou=People,dc=domain,dc=org configured then i can successfully authenticate users in ou=people with "Diagnostics > Authentication" and also the OpenVPN server.

              Untitled-2.png

              pfSense then also recognizes if the user is a member of one or more groups.

              af3caf0f-69b3-43d8-8c84-ac40653cf4da-afbeelding.png

              It would be great if i could use those memberships of, for example, cn=vpnusers to authorize access to the OpenVPN server.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                I don't believe you can do that directly for OpenVPN as there's no specific privilege required to allow a login. There is for Captive Portal login and IPSec Xauth so you can use it there.

                You would need to configure an LDAP server instance that queried on users in that group.

                But I have no idea why that doesn't work for the ou=Groups when it appears everything else is the same. Something must not be the same.

                G 1 Reply Last reply Reply Quote 1
                • G
                  Gerard64 @stephenw10
                  last edited by

                  That is a pity.
                  Would be great if we could do things like that.
                  Thanks a lot for thinking along with me 👍

                  1 Reply Last reply Reply Quote 0
                  • G
                    Gerard64
                    last edited by Gerard64

                    Oke i think i fixed it.

                    I don't know if this is what fixed it but i installed and configured the memberOf overlay module in OpenLDAP.
                    I am going to test with a backup vm of my OpenLDAP without the memberOf overlay to see if this module is really needed.

                    Anyhow with the settings i have now (see the image below) i can add and remove users from the cn=vpnusers group and authorize users with that.
                    I tested it with several different members in the cn=vpnusers group.

                    3aa2582a-95a0-40ba-bddf-5e1fb895ca42-afbeelding.png

                    1 Reply Last reply Reply Quote 1
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Aha! Nice catch.

                      G 1 Reply Last reply Reply Quote 0
                      • G
                        Gerard64 @stephenw10
                        last edited by

                        Oke i tested it with a backuped VM of my OpenLDAP server and the memberOf overlay module is not needed it stil works without that module 💃🥳

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.