OpenVPN with LDAP User groups
-
Hi,
I am looking to deploy LDAP authentication across several pfSense units using OpenLDAP. The authentication is working correctly and all is good for VPN access.
However, I do not want to allow ALL LDAP users access to ALL pfSenses.
So I am trying to limit the users based on LDAP group membership. I can determine that the pfSense is aware of the members of the LDAP groups (memberUid), using the 'Diagnostics => Authentication' tool, and allowing WebCfg elements within the User Management / Groups configuration based on group. Which again all works fine.
I should point out that this group membership follows RFC2307, so I cannot get 'extended query' working correctly, but the RFC 2307 Groups checkbox does correctly determine users group membership.
Within group Assigned Privileges, I can restrict users based on this LDAP group membership for many elements, but I don't appear to be able define an OpenVPN element?
I see privileges for other VPN types "User: VPN: L2TP, IPSec & PPOE" but there is no means to tie users to OpenVPN access?
I'm using 2.4.4-RELEASE-p2.
Could anyone shed some light, is this not currently possible ?
Many thanks.
-
From another angle, is there a way to perform an extended query on a RFC2307 style schema to restrict to specific groups?
Most of the examples relate to AD memberOf attribute with the groups listed in the user object.
If I extend the Authentication contains to use both the user and group containers:
Authentication containers: dc=auth,dc=example,dc=com;ou=groups,dc=auth,dc=example,dc=com
I can't seem to get the Extended query to generate anything but auth failures:
memberUid=cn=admin,ou=groups,dc=auth,dc=example,dc=com or
&(objectClass=posixGroup)(cn=admin)(memberUid=<asterisk>) or
memberOf=cn=admin,ou=groups,dc=auth,dc=example,dc=comor any other example
Does anyone have any experience of using Extended Query on RFC2307 groups ?
This query may warrant another thread ?
Thanks again.
-
Hi,
OK, so having looked through the PHP codebase, I can see that querying group information is not currently supported for RFC2307 groups within a different container.
I have put together a patch to support this by abstracting a secondary query of the group container. It is enabled when the RFC2307 checkbox is checked in LDAP authentication server settings. When 'Extended Query' syntax is entered, it will query against the paths in the Authentication Containers as per existing code, so this field should contain the path for the group container.
It will label the frontend to reflect the changes in Extended Query syntax.
Hope it may be of use to someone, feel free to modify or submit .
pfSense_LDAP_RFC2307GroupFilter_Fix.diff
This will support extended query syntax such as:
&(objectClass=posixGroup)(cn=groupname)(memberUid=*) |(&(objectClass=posixGroup)(cn=groupname)(memberUid=*))(&(objectClass=posixGroup)(cn=anothergroup)(memberUid=*))This should apply cleanly with the System_Patches addon from sysutils with Path Strip Count as '1'.
-
@spowers you ever submitted a RedMine?
-
The feature was added here: https://github.com/pfsense/pfsense/commit/4144a9f8d2b04646de8eddcbc6ef523a2ae792cf
I believe it has been enhanced since then, but works as intended in 2.6
-
A few weeks ago I went through and tested LDAP auth with extended query in a few different LDAP setups with/without RFC2307 groups and updated the docs with better info on that and using multiple server entries limited by groups for these sorts of purposes.
If you haven't reviewed the docs recently, look them over again.
https://docs.netgate.com/pfsense/en/latest/usermanager/ldap.html
https://docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html
Also I highly recommend using an LDAP browser such as Apache Directory Studio to test your queries and settings to dial in getting the results you want.
