LDAP Extended Query with Multiple Groups

justein230 · Aug 10, 2016, 4:50 AM

I am having trouble getting the syntax right for specifying two security groups in an LDAP extended query. Example situation below:
Security Group 1 = group1
dn="CN=group1,DC=test,DC=local"

Security Group 2 = group2
dn="CN=group2,DC=test,DC=local"

I can get one security group working with the syntax "memberOf=CN=group1,DC=test,DC=local", but I cannot figure out how to tell it to query for "IF user is a member of group1 OR group2". Any help would be greatly appreciated. Thank you!

tarakesh · Aug 10, 2016, 8:23 AM

That would be a little bit more complex…

As an example:
Found here: http://stackoverflow.com/questions/19536519/ldap-search-filter-multiple-groups-squid

(&(|(memberOf=CN=normal_group,OU=Test_Users,DC=matthew,DC=com)(memberOf=CN=internet_group,OU=Test_Users,DC=matthew,DC=com))(sAMAccountName=%s))

jimp · Aug 12, 2016, 2:29 PM

For fiddling with LDAP search queries to get them right, it's hard to beat a utility like Apache Directory Studio. It's easier than trying to dial them in using just the pfSense GUI.

logo78 · Mar 7, 2017, 3:30 PM

hi,
thank you for the hints. I had the same requirements. I just want to share my expirience.

I needed two groups. One for VPN users and the other one for VPN access and pfsense administration.

For me its perfect now :)
A picture is worth a thousand words.

![Image 28.png_thumb](/public/imported_attachments/1/Image 28.png_thumb)
![Image 28.png](/public/imported_attachments/1/Image 28.png)

gcarey3 · Apr 15, 2019, 6:21 PM

What worked for me on pfSense 2.4.4-p2:

Search scope: Entire Subtree
Base DN: dc=ad,dc=mydomain,dc=com
Authentication containers: CN=Users,DC=ad,DC=mydomain,DC=com
Extended query: checked
Query: |(memberOf=CN=pfsenseadmins,cn=Users,dc=ad,dc=mydomain,dc=com)(memberOf=CN=pfsenseoperators,cn=Users,dc=ad,dc=mydomain,dc=com)
Bind anonymous: unchecked
Bind credentials: MYDOMAIN\pfsense ************
User naming attribute: samAccountName
Group naming attribute: cn
Group member attribute: memberOf
RFC 2307 Groups: unchecked
Group Object Class: posixGroup

I created the groups 'pfsenseadmins' and 'pfsenseoperators' and assigned the appropriate access for each group.

Seems that pfSense choked on the extra grouping characters at the beginning of the search expression as referenced above. I started with just the pipe 'or' operator and it worked okay. I also didn't need to add the samAccount part at the end, perhaps because it was defined in a different field.

Hope it's helpful to others.

loeken · May 16, 2019, 4:08 PM

https://redmine.pfsense.org/issues/9527
might be of interest too for rfc 2307 enabled