Using primaryGroupID as group member attribute
-
TL;DR: Why can I not use "primaryGroupID" as "group member attribute"?
In my AD (Win 2019) I have defined a set of admin users. The admins can be members of either group_a or group_b. Some of those admins have their primary group set as group_a or group_b.
I.e. the structure might look something like this
- domain . com
- Admins
- User1
- User2
- ...
- Admins
- Groups
- group_a
- group_b
- ...
User1 is a member of "Domain Users" and "group_a". User2 has the same membership as User1. The difference between User1 and User2 is that User1 has its primary group set as group_a while User2 has its primary group set as Domain Users.
According to this link (https://ldapwiki.com/wiki/MemberOf) I cannot use the "memberOf" attribute to find out the primary group of a user authenticating towards pfSense.
I only want users that has their primary group set to either group_a or group_b to have local access rights to the pfSense firewall.
So I figured that in the pfsense web gui (User manager - authentication servers), I would use "primaryGroupID" as the "group member attribute". I have created user groups locally on pfsense that are named the same as the group's ID's (in my case, 1013 and 1014 for group_a and group_b respectively).
Having done this, whenever i use Diagnostics - Authentication, the group membership is not displayed (i.e. User1 and User2 can be authenticated but are not members of any group(s)).
What am I missing? Please note: Changing the primary group back to the default "Domain users" is not an option.
I'm using pfSense 2.3.4
- domain . com