How to use OpenLDAP members groups
-
When i configure the LDAP server in pfSense with only the cn=vpnusers like in this image and i make one of the ou=People,dc=domain,dc=org users member of that group then auth test gives unsuccessful.
-
But that does work for the same group in ou=People?
-
I don't have groups in ou=people only users.
The single only thing that works is ...
But this way i cannot select different services per user, what i would like to be able to do.
If i only need users to authenticate then i can do that with my radius server then i don't need a ldap server.
I was hoping i could do more with a ldap server like authenticate against group members. -
Hmm, so what were you testing initially where the LDAP sever is returning groups for a user when it authenticates?
-
If i have ou=People,dc=domain,dc=org configured then i can successfully authenticate users in ou=people with "Diagnostics > Authentication" and also the OpenVPN server.
pfSense then also recognizes if the user is a member of one or more groups.
It would be great if i could use those memberships of, for example, cn=vpnusers to authorize access to the OpenVPN server.
-
I don't believe you can do that directly for OpenVPN as there's no specific privilege required to allow a login. There is for Captive Portal login and IPSec Xauth so you can use it there.
You would need to configure an LDAP server instance that queried on users in that group.
But I have no idea why that doesn't work for the ou=Groups when it appears everything else is the same. Something must not be the same.
-
That is a pity.
Would be great if we could do things like that.
Thanks a lot for thinking along with me
-
Oke i think i fixed it.
I don't know if this is what fixed it but i installed and configured the memberOf overlay module in OpenLDAP.
I am going to test with a backup vm of my OpenLDAP without the memberOf overlay to see if this module is really needed.Anyhow with the settings i have now (see the image below) i can add and remove users from the cn=vpnusers group and authorize users with that.
I tested it with several different members in the cn=vpnusers group.
-
Aha! Nice catch.
-
Oke i tested it with a backuped VM of my OpenLDAP server and the memberOf overlay module is not needed it stil works without that module
🥳
