• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Solved "No page assigned to this user" issue with LDAP authentication

Scheduled Pinned Locked Moved General pfSense Questions
5 Posts 3 Posters 3.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JulioQc
    last edited by Nov 2, 2016, 2:46 AM

    Hello,

    Following the 2.3 update, my LDAP authentication for the GUI was broken. Although it was working before, the 'user authentication' test in pfSense was still returning the right group membership and all relevant permissions were assigned to the group, I was getting the dreadful "No page assigned to this user" when login with my AD account :(

    I've been banging my head on this on this one until I found a random solution. After removing the group in pfSense and re-adding it, I noticed the group membership was not returned anymore, although the user was indeed a member in AD. Tried to remove and add the user to the corresponding group in AD did not work at all. So I completely deleted the corresponding group in AD, recreated it, added the user as a member in AD and voilà!

    So basically, recreate the group in pfSense with all necessary permission then recreate the group in AD (don't forgot to add the user's membership to it).
    Anything else was left untouched (authentication server config and the AD user himself).

    For those wondering, yes, the group had the same exact names in pfsense and AD ("pfSenseAdmin")

    Obviously this guide is still a reference and has proven useful to troubleshoot: https://forum.pfsense.org/index.php?topic=44689.0

    I believe it's an edge case but if it happens to someone else, I hope my experience can help :)

    1 Reply Last reply Reply Quote 1
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Nov 8, 2016, 6:17 PM

      Possibly related note: On pfSense when you add a group for use by LDAP (or RADIUS), make sure you set the scope to "Remote" – local scope groups have name length and format restrictions that remote scope groups do not.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • L
        logo78
        last edited by Mar 7, 2017, 1:41 PM

        @JulioQc:

        I believe it's an edge case but if it happens to someone else, I hope my experience can help :)

        Men! I spent the whole last night, for troubleshooting this. I am using v2.3.3 and AD Server 2016.
        With your recreate-everything-workaround it was running immediately.
        Thank you for sharing you expierences and saving me another couple of hours!!

        btw: is there be an explanation for this behaviour/implausibility? Do we have to be afraid of, that this will happen again for no reason?
        Thx again.

        1 Reply Last reply Reply Quote 1
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Mar 7, 2017, 1:43 PM

          Run a diff between your old configuration file and the current configuration file that works and you'll probably spot why it works now and didn't before.

          There is no magic to creating the entry again.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • L
            logo78
            last edited by Mar 7, 2017, 3:33 PM Mar 7, 2017, 2:16 PM

            I researched and i believe, I know the reason.

            The group is received by pfsense only, if:
            -the created user in AD (e.g. 'vpnuser') is member of at least two groups (e.g. 'Domain-User' and 'vpngroup')
            -if the AD/pfsense group (e.g. 'vpngroup') is not the default group of 'vpnuser'

            Just tried to replicate this .. Strange, but it is as described above.

            btw: the extended query still not working, but that is another topic :)
            Edit: everything perfect right now, even with multiple extended queries.

            ![Image 24.png_thumb](/public/imported_attachments/1/Image 24.png_thumb)
            ![Image 24.png](/public/imported_attachments/1/Image 24.png)

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received