2.3.2 and LDAP Group Membership

  • I'm trying to get LDAP group membership to work. PfSense 2.3.2 isn't getting the groups correctly. I'm trying to do group membership with RFC 2307bis (user object based) style group membership. I'm using OpenLDAP 2.4 with the memberOf overlay to achieve this.

    The authentication bind for the user works fine. The service account authentication bind works fine too. The authorization LDAP search looks to be working fine too. It is find the user and getting the memberOf attribute. Yet in the authentication diagnosis tag, it never displays any of the group that the user is a member of. I'm using groupOfNames objects to be the group objects. I'm using the CN for both the user object and the group object as the short name.

    Does anybody have any idea of what this issue could be?

  • Rebel Alliance Developer Netgate

    Do you have a group of the exact same name on pfSense? The groups will only be listed if a local matching group also exists.

  • Thanks,
      That was the issue.
      Nowhere did I see in the Admin UI that an admin had to create a local group to mirror the remote (LDAP) group as a requirement. Probably want to make some type of note of that in the UI or at least have a link to the documentation about it in the LDAP/Radius authentication server configuration section.

  • Rebel Alliance Developer Netgate

    It was already covered in the book but I added it a couple places in the wiki just now.

Log in to reply