LDAP and FreeIPA 4.4.1 Frustrations

  • Just FYI, there is only one way to use FreeIPA on Pfsense 2.3.4.

    You need to connect to FreeIPA over ssl using freeipa signed cert.  Maybe you can do it more simply, but this is what worked for me.

    After you fill in the host, the distinguished name field needs to look something like this: cn=compat,dc=my-domain,dc=com  cn=compat matters.

    Enable RFC 2307 Groups

    User naming attribute:uid
    Group naming attribute:cn
    Group member attribute: memberUid
    Group Object Class: posixGroup

    The way users are set up in FreeIPA and the search method in PfSense, there's no way to filter that I could tell.  It fails on memberOf queries.  For some reason, some object classes partially work and others do not work at all.  For example, cn~=fw_admins as an extended search fails to return anything even though the query logged on the LDAP server works from ldapsearch.

    It's also important to know the "extended search" option is during the user authentication step, not filter groups.

    Disabling Rfc 2307 Groups builds a different search string that fails with no way to control the attrs output.
    SRCH base="cn=compat,DC=mydomain,DC=zz" scope=2 filter="(&(uid=myuser)(&(objectClass=posixGroup)(cn=fw_admins)))" attrs=ALL

    A successful search string looks like this:
    SRCH base="DC=mydomain,DC=zz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=myuser))" attrs="memberUid"

    What happens in this scenario once you get LDAP auth working, is that any user is able to authenticate on PFSense.  However, if they don't belong to a matching pfsense local group, there is an error because their group doesn't exist.

  • It turns out the problem was you MUST authenticate to do an extended search.  There is no indication of denied access as anonymous user in a normal 389DS setup.  So, of course I assumed the search was permitted.  :-[

    I posted revised instructions in the documentation sub-forum.

Log in to reply