LDAP Extended Query with Multiple Groups

  • I am having trouble getting the syntax right for specifying two security groups in an LDAP extended query. Example situation below:
    Security Group 1 = group1

    Security Group 2 = group2

    I can get one security group working with the syntax "memberOf=CN=group1,DC=test,DC=local", but I cannot figure out how to tell it to query for "IF user is a member of group1 OR group2". Any help would be greatly appreciated. Thank you!

  • That would be a little bit more complex…

    As an example:
    Found here: http://stackoverflow.com/questions/19536519/ldap-search-filter-multiple-groups-squid


  • Rebel Alliance Developer Netgate

    For fiddling with LDAP search queries to get them right, it's hard to beat a utility like Apache Directory Studio. It's easier than trying to dial them in using just the pfSense GUI.

  • hi,
    thank you for the hints. I had the same requirements. I just want to share my expirience.

    I needed two groups. One for VPN users and the other one for VPN access and pfsense administration.

    For me its perfect now  :)
    A picture is worth a thousand words.

    ![Image 28.png_thumb](/public/imported_attachments/1/Image 28.png_thumb)
    ![Image 28.png](/public/imported_attachments/1/Image 28.png)

  • What worked for me on pfSense 2.4.4-p2:

    Search scope: Entire Subtree
    Base DN: dc=ad,dc=mydomain,dc=com
    Authentication containers: CN=Users,DC=ad,DC=mydomain,DC=com
    Extended query: checked
    Query: |(memberOf=CN=pfsenseadmins,cn=Users,dc=ad,dc=mydomain,dc=com)(memberOf=CN=pfsenseoperators,cn=Users,dc=ad,dc=mydomain,dc=com)
    Bind anonymous: unchecked
    Bind credentials: MYDOMAIN\pfsense ************
    User naming attribute: samAccountName
    Group naming attribute: cn
    Group member attribute: memberOf
    RFC 2307 Groups: unchecked
    Group Object Class: posixGroup

    I created the groups 'pfsenseadmins' and 'pfsenseoperators' and assigned the appropriate access for each group.

    Seems that pfSense choked on the extra grouping characters at the beginning of the search expression as referenced above. I started with just the pipe 'or' operator and it worked okay. I also didn't need to add the samAccount part at the end, perhaps because it was defined in a different field.

    Hope it's helpful to others.

  • https://redmine.pfsense.org/issues/9527
    might be of interest too for rfc 2307 enabled

Log in to reply