Solved "No page assigned to this user" issue with LDAP authentication
-
Hello,
Following the 2.3 update, my LDAP authentication for the GUI was broken. Although it was working before, the 'user authentication' test in pfSense was still returning the right group membership and all relevant permissions were assigned to the group, I was getting the dreadful "No page assigned to this user" when login with my AD account :(
I've been banging my head on this on this one until I found a random solution. After removing the group in pfSense and re-adding it, I noticed the group membership was not returned anymore, although the user was indeed a member in AD. Tried to remove and add the user to the corresponding group in AD did not work at all. So I completely deleted the corresponding group in AD, recreated it, added the user as a member in AD and voilà!
So basically, recreate the group in pfSense with all necessary permission then recreate the group in AD (don't forgot to add the user's membership to it).
Anything else was left untouched (authentication server config and the AD user himself).For those wondering, yes, the group had the same exact names in pfsense and AD ("pfSenseAdmin")
Obviously this guide is still a reference and has proven useful to troubleshoot: https://forum.pfsense.org/index.php?topic=44689.0
I believe it's an edge case but if it happens to someone else, I hope my experience can help :)
-
Possibly related note: On pfSense when you add a group for use by LDAP (or RADIUS), make sure you set the scope to "Remote" – local scope groups have name length and format restrictions that remote scope groups do not.
-
I believe it's an edge case but if it happens to someone else, I hope my experience can help :)
Men! I spent the whole last night, for troubleshooting this. I am using v2.3.3 and AD Server 2016.
With your recreate-everything-workaround it was running immediately.
Thank you for sharing you expierences and saving me another couple of hours!!btw: is there be an explanation for this behaviour/implausibility? Do we have to be afraid of, that this will happen again for no reason?
Thx again. -
Run a diff between your old configuration file and the current configuration file that works and you'll probably spot why it works now and didn't before.
There is no magic to creating the entry again.
-
I researched and i believe, I know the reason.
The group is received by pfsense only, if:
-the created user in AD (e.g. 'vpnuser') is member of at least two groups (e.g. 'Domain-User' and 'vpngroup')
-if the AD/pfsense group (e.g. 'vpngroup') is not the default group of 'vpnuser'Just tried to replicate this .. Strange, but it is as described above.
btw: the extended query still not working, but that is another topic :)
Edit: everything perfect right now, even with multiple extended queries.
