Authentification on LDAP (FREEIPA) and RFC 2307
-
Hello,
Seems there is still a bug with the RFC2307 standard in 2.3.2's ldap config.I setup the LDAP configuration and it doesn't accept to search within the group with the memberUid on one of my firewalls running 2.3.2.
Here is what I see on my ldap server after i test ldap with the initial config in the attached picture.
conn=3804 op=2 SRCH base="cn=groups,cn=compat,dc=grenadine,dc=juicy" scope=2 filter="(&(uid=dave)(cn=grenadineadmins))" attrs=ALL
I tried variants but it always adds the uid instead of the memberUid.
SRCH base="cn=groups,cn=compat,dc=grenadine,dc=juicy" scope=2 filter="(&(uid=dave)(&(objectClass=posixGroup)(cn=grenadineadmins*)))" attrs=ALLWhen i go back to the config,and remove the extended query, here is the query that is successfull.
conn=3809 op=1 SRCH base="cn=users,cn=accounts,dc=grenadine,dc=juicy" scope=2 filter="(uid=dave)" attrs=ALL
Seems pfsense doesn't use the RFC2307 checkbox.
 -
Well, interface might be misleading of even wrong.
Difference between RFC 2307 and 2307bis is mainly how members are described within group.
Basically RFC 2307 bis will store members as "uniquemember" (containing member's DN) while RFC 2307 will look at memberuid storing… uidThis is quite different and has real impact on the way one look at group memebership.
This said, I don't understand your ldap filter as you search, within same filter, for "uid=something" (this searches for user's LDAP entry, if I'm not wrong) and cn=somethingelse + objectclass = posixgroup, which targets group.
This works only with your groups contain uid attribute describing members, which would be odd.I'm not discussing here other differences between 2307 and 2307bis about structural vs. auxiliary ;)