LDAP Extended Query with Multiple Groups
justein230 last edited by
I am having trouble getting the syntax right for specifying two security groups in an LDAP extended query. Example situation below:
Security Group 1 = group1
Security Group 2 = group2
I can get one security group working with the syntax "memberOf=CN=group1,DC=test,DC=local", but I cannot figure out how to tell it to query for "IF user is a member of group1 OR group2". Any help would be greatly appreciated. Thank you!
tarakesh last edited by
That would be a little bit more complex…
As an example:
Found here: http://stackoverflow.com/questions/19536519/ldap-search-filter-multiple-groups-squid
For fiddling with LDAP search queries to get them right, it's hard to beat a utility like Apache Directory Studio. It's easier than trying to dial them in using just the pfSense GUI.
logo78 last edited by
thank you for the hints. I had the same requirements. I just want to share my expirience.
I needed two groups. One for VPN users and the other one for VPN access and pfsense administration.
For me its perfect now :)
A picture is worth a thousand words.
![Image 28.png_thumb](/public/imported_attachments/1/Image 28.png_thumb)
![Image 28.png](/public/imported_attachments/1/Image 28.png)
gcarey3 last edited by
What worked for me on pfSense 2.4.4-p2:
Search scope: Entire Subtree
Base DN: dc=ad,dc=mydomain,dc=com
Authentication containers: CN=Users,DC=ad,DC=mydomain,DC=com
Extended query: checked
Bind anonymous: unchecked
Bind credentials: MYDOMAIN\pfsense ************
User naming attribute: samAccountName
Group naming attribute: cn
Group member attribute: memberOf
RFC 2307 Groups: unchecked
Group Object Class: posixGroup
I created the groups 'pfsenseadmins' and 'pfsenseoperators' and assigned the appropriate access for each group.
Seems that pfSense choked on the extra grouping characters at the beginning of the search expression as referenced above. I started with just the pipe 'or' operator and it worked okay. I also didn't need to add the samAccount part at the end, perhaps because it was defined in a different field.
Hope it's helpful to others.
loeken last edited by
might be of interest too for rfc 2307 enabled