LDAP group membership

  • I'm trying to restrict pfSense LDAP authentication to the users belonging only to a specific LDAP group.

    I configured the Authentication Servers as per documentation but apparently pfSense is unable to obtain user's groups membership. The server is OpenLDAP, the configuration is:

    • Search Scope: one level
    • BaseDN: dc=DOMAIN,dc=it
    • Authentication containers: ou=Users
    • User naming attribute: uid
    • Group naming attribute: cn
    • Group member attribute: memberUid
    • RFC 2307 Groups: enabled
    • Group Object Class: posixGroup

    Auth test works but it appears unable to retrieve groups membership:

    User yetopen authenticated successfully. This user is a member of groups:

    And if I enable Extended query (tried a lot of different config, latest memberOf=CN=openvpn,OU=Groups,DC=DOMAIN,DC=it) it won't authenticate the user.

    I did hours of searches, tried different configs but I'm unable to make LDAP groups work.

    pfSense 2.4.3, openLDAP 2.4.42.


    pfSense OpenLDAP config

  • https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html#group-membership:
    For pfSense to see a group from LDAP, a local group must exist on pfSense with an identical name to the group on the LDAP server.

    also check this: https://redmine.pfsense.org/issues/9527

  • @viktor_g I did spot the docs about the required group, but didn't about the patch! Thank you, I'll upgrade and see if it's fixed.

  • @viktor_g I've upgraded pfSense to latest stable 2.4.5 and, with my disappointment, a patch merged nearly one year ago isn't present yet :(
    I manually patched auth.inc but I'm still unable to filter users by group.
    If I disable the Extended query param and perform a test auth pfSense now fetches user groups.

    But if I add (&(objectClass=posixGroup)(cn=openvpn)(memberUid=*)) to the extended query filter in order to restrict only users in the openvpn group then auth will fail.

  • @maxxer can you show your server's LDAP group object in LDIF format?

  • @viktor_g here it is:

    dn: cn=openvpn,ou=Groups,dc=domain,dc=it
    objectClass: sambaGroupMapping
    objectClass: posixGroup
    sambaGroupType: 2
    sambaSID: S-1-5-21-446527113-4133352199-1973987425-21005
    gidNumber: 10002
    cn: openvpn
    memberUid: tizi.caio
    memberUid: yetopen
    structuralObjectClass: posixGroup
    entryUUID: 5cad3dca-f631-1039-949d-3979f74ed655
    creatorsName: cn=admin,dc=domain,dc=it
    createTimestamp: 20200309090901Z
    entryCSN: 20200831131707.214353Z#000000#000#000000
    modifiersName: cn=admin,dc=domain,dc=it
    modifyTimestamp: 20200831131707Z

  • Hi,
    every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:

    filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
    filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
    filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"

    filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
    filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."

    Why if attributes != memberuid, they are changed to "?attribute" ?
    This is probably why the groups are not showing up :/

  • @sysgone Please provide more info about your configuration and create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html

Log in to reply