LDAP group membership

maxxer

I'm trying to restrict pfSense LDAP authentication to the users belonging only to a specific LDAP group.

I configured the Authentication Servers as per documentation but apparently pfSense is unable to obtain user's groups membership. The server is OpenLDAP, the configuration is:

Search Scope: one level
BaseDN: dc=DOMAIN,dc=it
Authentication containers: ou=Users
User naming attribute: uid
Group naming attribute: cn
Group member attribute: memberUid
RFC 2307 Groups: enabled
Group Object Class: posixGroup

Auth test works but it appears unable to retrieve groups membership:

User yetopen authenticated successfully. This user is a member of groups:

And if I enable Extended query (tried a lot of different config, latest memberOf=CN=openvpn,OU=Groups,DC=DOMAIN,DC=it) it won't authenticate the user.

I did hours of searches, tried different configs but I'm unable to make LDAP groups work.

pfSense 2.4.3, openLDAP 2.4.42.

Thanks

pfSense OpenLDAP config

viktor_g

https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html#group-membership:
For pfSense to see a group from LDAP, a local group must exist on pfSense with an identical name to the group on the LDAP server.

also check this: https://redmine.pfsense.org/issues/9527

maxxer

@viktor_g I did spot the docs about the required group, but didn't about the patch! Thank you, I'll upgrade and see if it's fixed.

maxxer

@viktor_g I've upgraded pfSense to latest stable 2.4.5 and, with my disappointment, a patch merged nearly one year ago isn't present yet :(
I manually patched auth.inc but I'm still unable to filter users by group.
If I disable the Extended query param and perform a test auth pfSense now fetches user groups.

But if I add (&(objectClass=posixGroup)(cn=openvpn)(memberUid=*)) to the extended query filter in order to restrict only users in the openvpn group then auth will fail.

viktor_g

@maxxer can you show your server's LDAP group object in LDIF format?

maxxer

@viktor_g here it is:

dn: cn=openvpn,ou=Groups,dc=domain,dc=it
objectClass: sambaGroupMapping
objectClass: posixGroup
sambaGroupType: 2
sambaSID: S-1-5-21-446527113-4133352199-1973987425-21005
gidNumber: 10002
cn: openvpn
memberUid: tizi.caio
memberUid: yetopen
structuralObjectClass: posixGroup
entryUUID: 5cad3dca-f631-1039-949d-3979f74ed655
creatorsName: cn=admin,dc=domain,dc=it
createTimestamp: 20200309090901Z
entryCSN: 20200831131707.214353Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=it
modifyTimestamp: 20200831131707Z

sysgone

Hi,
every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:

example:
filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"

filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."

Why if attributes != memberuid, they are changed to "?attribute" ?
This is probably why the groups are not showing up :/

viktor_g

@sysgone Please provide more info about your configuration and create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html