Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP Extended Query Fails

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      flowjo-mike
      last edited by

      I have just got authentication against my FreeIPA system working by following this:
      https://ask.fedoraproject.org/en/question/63089/how-can-i-integrate-freeipa-with-pfsense-for-authentication/

      The only change I had to make was to set the Search Scope level to "entire subtree" and I also left the extended query unchecked… With that setup I am able to authenticate using "Diagnostics->Authentication".

      I tried using the following extended query:
      &(memberOf=cn=admins,cn=groups,cn=accounts,dc=domain,dc=com)

      Looking in pfSense logs, using the extended query (fails):

      [24/Aug/2016:11:07:16 -0700] conn=1396 fd=116 slot=116 SSL connection from * to *
      [24/Aug/2016:11:07:16 -0700] conn=1396 TLS1.2 256-bit AES-GCM
      [24/Aug/2016:11:07:16 -0700] conn=1396 op=0 BIND dn="" method=128 version=3
      [24/Aug/2016:11:07:16 -0700] conn=1396 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
      [24/Aug/2016:11:07:16 -0700] conn=1396 op=1 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 filter="(&(uid=user)(&(memberOf=cn=admins,cn=groups,cn=accounts,dc=domain,dc=com)))" attrs=ALL
      [24/Aug/2016:11:07:16 -0700] conn=1396 op=1 RESULT err=0 tag=101 nentries=0 etime=0
      [24/Aug/2016:11:07:16 -0700] conn=1396 op=2 UNBIND
      [24/Aug/2016:11:07:16 -0700] conn=1396 op=2 fd=116 closed - U1

      Without the query (success):

      [24/Aug/2016:11:08:47 -0700] conn=1398 fd=118 slot=118 SSL connection from * to *
      [24/Aug/2016:11:08:47 -0700] conn=1398 TLS1.2 256-bit AES-GCM
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=0 BIND dn="" method=128 version=3
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=1 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 filter="(uid=user)” attrs=ALL
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=1 RESULT err=0 tag=101 nentries=1 etime=0
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=2 BIND dn="uid=user,cn=users,cn=accounts,dc=domain,dc=com" method=128 version=3
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user,cn=users,cn=accounts,dc=domain,dc=com"
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=3 UNBIND
      [24/Aug/2016:11:08:47 -0700] conn=1398 op=3 fd=118 closed - U1

      I am using the latest pfSense 2.3.2 and latest FreeIPA, all my searches come up with using the same extended query and I can't figure out why it's not working for me.

      1 Reply Last reply Reply Quote 0
      • F
        flowjo-mike
        last edited by

        Still stuck… When doing an ldapsearch, I can see the group:

        admins, groups, compat, domain.com

        dn: cn=admins,cn=groups,cn=compat,dc=domain,dc=com
        ipaAnchorUUID::
        gidNumber: 50000
        memberUid: admin
        memberUid: user1
        memberUid: user2
        objectClass: posixGroup
        objectClass: ipaOverrideTarget
        objectClass: ipaexternalgroup
        objectClass: top
        cn: admins

        I think the query formatting is wrong, this is what I have in pfSense:

        &(memberof=cn=admins,cn=groups,cn=compat,dc=domain.dc=com)

        Any help would be greatly appreciated!

        1 Reply Last reply Reply Quote 0
        • F
          flowjo-mike
          last edited by

          I didn't include the full output of a successful auth, extended query is disabled:

          [30/Aug/2016:10:23:25 -0700] conn=6432 fd=110 slot=110 SSL connection from * to *
          [30/Aug/2016:10:23:25 -0700] conn=6432 TLS1.2 256-bit AES-GCM
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=0 BIND dn="" method=128 version=3
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=1 SRCH base="cn=compat,dc=domain,dc=com" scope=2 filter="(uid=user1)” attrs=ALL
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=1 RESULT err=0 tag=101 nentries=1 etime=0
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=2 BIND dn="uid=user1,cn=users,cn=compat,dc=domain,dc=com" method=128 version=3
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user1,cn=users,cn=accounts,dc=domain,dc=com"
          [30/Aug/2016:10:23:25 -0700] conn=6433 fd=118 slot=118 SSL connection from * to *
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=3 UNBIND
          [30/Aug/2016:10:23:25 -0700] conn=6432 op=3 fd=110 closed - U1
          [30/Aug/2016:10:23:25 -0700] conn=6433 TLS1.2 256-bit AES-GCM
          [30/Aug/2016:10:23:25 -0700] conn=6433 op=0 BIND dn="" method=128 version=3
          [30/Aug/2016:10:23:25 -0700] conn=6433 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
          [30/Aug/2016:10:23:25 -0700] conn=6433 op=1 SRCH base="uid=user1,cn=users,cn=compat,dc=domain,dc=com" scope=2 filter="(uid=user1)” attrs="memberOf"
          [30/Aug/2016:10:23:25 -0700] conn=6433 op=1 RESULT err=0 tag=101 nentries=1 etime=0
          [30/Aug/2016:10:23:25 -0700] conn=6433 op=2 UNBIND
          [30/Aug/2016:10:23:25 -0700] conn=6433 op=2 fd=118 closed - U1

          I changed the cn from accounts to compat for the auth container, but that doesn't make a difference.  The last search shows attrs="memberOf", but anytime I add an extended query the logs show attrs="all", not sure if that means anything.  I tried adding the full memberOf path under the group member attribute, but that didn't restrict access although the auth is still success.

          [30/Aug/2016:10:42:12 -0700] conn=6460 op=1 SRCH base="uid=user3,cn=users,cn=compat,dc=domain,dc=com" scope=2 filter="(uid=user3)" attrs="memberof=cn=admins,cn=groups,cn=compat,dc=domain,dc=com"
          [30/Aug/2016:10:42:12 -0700] conn=6460 op=1 RESULT err=0 tag=101 nentries=1 etime=0

          1 Reply Last reply Reply Quote 0
          • F
            flowjo-mike
            last edited by

            Just to update this in case anyone else has this problem… I had disable Bind anonymous, FreeIPA 4.x requires authenticated bind to see member attributes.  Once I setup a simple user to bind as on FreeIPA, the extended query worked.

            1 Reply Last reply Reply Quote 0
            • T
              Thomas Wolf
              last edited by

              Hey, could you help me create the binddn account.
              dn: uid=panopsy,cn=sysaccounts,cn=etc,dc=open-synergy,dc=com
              objectClass: account
              objectClass: simplesecurityobject
              objectClass: top
              uid: panopsy
              userPassword:: xxxxxx

              I created it. But then in pfsense when I set  the Bind credentials to: uid=panopsy,cn=sysaccounts,cn=etc,dc=open-synergy,dc=com
              Doesn't work: /diag_authentication.php: ERROR! Could not bind to server xxxxxx

              However, cn="Directory Manager" works like a charm but not safe of course…

              I don't know what I get wrong here.

              Tahnks in advance!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.