Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeIPA 4.6.8 memberUid and pfSense 2.5.1

    General pfSense Questions
    1
    1
    310
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bigbalu
      last edited by

      Hi,

      I am using FreeIPA on CentOS 8 in my private environment and wanted to authenticate with my LDAP user on pfSense. Yesterday, I updated pfSense to the newest version and wanted to login with all members of a specific group to the webportal or via OpenVPN.

      So I created a ldap query on "authentication servers" with following settings:

      • Type: LDAP
      • Port: 389
      • Protocol: 3
      • Search scope: entire subtree
      • Basedn: dc=my,dc=domain
      • Authentication containers: cn=users,cn=compat,dc=my,dc=domain;cn=groups,cn=compat,dc=my,dc=domain;cn=users,cn=accounts,dc=my,dc=domain;
        cn=groups,cn=accounts,dc=my,dc=domain
      • Bind credentials: uid=bind,cn=users,cn=accounts,dc=my,dc=domain *******
      • User naming attribute: uid
      • Group naming attribute: cn
      • Group member attribute: memberUid
      • RFC 2307 Groups: checked
      • Group Object Class: posixGroup

      Following LDAP searches:

      [root@ldap ~]# ldapsearch -xLLL -b "dc=my,dc=domain"  cn=vpn
dn: cn=vpn,cn=groups,cn=compat,dc=my,dc=domain
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 5019
memberUid: testa
ipaAnchorUUID:: OklQQTpoZXJpbmcubGFuOjQ4MWI1OGI0LWE3ZjUtMTFlYi1hOTBhLTUyNTQwMD
 g0ZjQ5Nw==
cn: vpn

dn: cn=vpn,cn=groups,cn=accounts,dc=my,dc=domain
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
gidNumber: 5019
cn: vpn
ipaUniqueID: 481b58b4-a7f5-11eb-a90a-52540084f497

      If I go to "Diagnostics > Authentication" and type credentials for user "testa", it worked and pfSense tells me, that this user belongs to the group "vpn".

      After this successfull test, I wanted to filter on vpn users. I checked advanced search and try to configure it with "cn=vpn". Unfortunately, this did not work. I tried following filter:

      • cn=vpn
      • (cn=vpn)
      • &(objectClass=*)(cn=vpn)
      • (&(objectClass=*)(cn=vpn))
      • &(objectClass=)(cn=vpn)(memberUid=)
      • (&(objectClass=)(cn=vpn)(memberUid=))

      I read in some blogpost, that this group has to exist on the pfSense, so I created it with Scope "Remote". Unfortunately, this does not work either.

      Maybe someone knows, what the challenge is here. Did I configure something wrong?

      Tell me, if you need further informations

      Thanks very much,
      Ludwig

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.