Admin access to Load Balancer for LDAP accounts



  • I apologize if this is a duplicate. I couldn't find the topic when searching the forum for Load Balancer.

    Background:

    We've created a pfSense group named pfSense_Admins and assigned all available permissions to that group.  We've created a matching security group in Active Directory and assigned all admins to that group. Under 2.1, this allowed members of the pfSense_Admins group to manage the load balancer, adding and removing back end servers as needed.

    We recently updated two 2.1 systems running CARP to 2.3.2. The upgrade appeared to go very well.

    The problem:

    Today, one of our Admins logged in and attempted to take a backend server offline for maintenance through the Load Balancer status page.  He de-selected the desired server, the clicked the save button at the bottom of the page. After the page refresh, he clicked the Apply button to apply changes. After doing this, the page refreshed, but the server was not taken offline.  It's really hard to take a system down for maintenance when pfSense continues to route traffic to it.

    This is reproduceable on our system using any LDAP account.  The load balancer works as expected if we use a local pfSense account, or if we create an "admins" group in active directory and assign users to that group.  We desire to keep the name of the security group in Active Directory specific to pfSense, as "admins" is too generic in that context.

    I've checked to see if there are any additional permissions available to assign to the pfSense_Admins group, but I can't find anything that isn't already assigned to the group.

    Is there a "hidden" permission or setting I'm missing, something that has changed since the update from 2.1 to 2.3.2? 
    Is this just a bug that I should file a bug report for?

    Thanks!


Log in to reply