Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP group membership

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 5 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maxxerM
      maxxer
      last edited by maxxer

      I'm trying to restrict pfSense LDAP authentication to the users belonging only to a specific LDAP group.

      I configured the Authentication Servers as per documentation but apparently pfSense is unable to obtain user's groups membership. The server is OpenLDAP, the configuration is:

      • Search Scope: one level
      • BaseDN: dc=DOMAIN,dc=it
      • Authentication containers: ou=Users
      • User naming attribute: uid
      • Group naming attribute: cn
      • Group member attribute: memberUid
      • RFC 2307 Groups: enabled
      • Group Object Class: posixGroup

      Auth test works but it appears unable to retrieve groups membership:

      User yetopen authenticated successfully. This user is a member of groups:

      And if I enable Extended query (tried a lot of different config, latest memberOf=CN=openvpn,OU=Groups,DC=DOMAIN,DC=it) it won't authenticate the user.

      I did hours of searches, tried different configs but I'm unable to make LDAP groups work.

      pfSense 2.4.3, openLDAP 2.4.42.

      Thanks

      pfSense OpenLDAP config

      1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate
        last edited by viktor_g

        https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html#group-membership:
        For pfSense to see a group from LDAP, a local group must exist on pfSense with an identical name to the group on the LDAP server.

        also check this: https://redmine.pfsense.org/issues/9527

        maxxerM 2 Replies Last reply Reply Quote 2
        • maxxerM
          maxxer @viktor_g
          last edited by

          @viktor_g I did spot the docs about the required group, but didn't about the patch! Thank you, I'll upgrade and see if it's fixed.

          1 Reply Last reply Reply Quote 0
          • maxxerM
            maxxer @viktor_g
            last edited by

            @viktor_g I've upgraded pfSense to latest stable 2.4.5 and, with my disappointment, a patch merged nearly one year ago isn't present yet :(
            I manually patched auth.inc but I'm still unable to filter users by group.
            If I disable the Extended query param and perform a test auth pfSense now fetches user groups.

            But if I add (&(objectClass=posixGroup)(cn=openvpn)(memberUid=*)) to the extended query filter in order to restrict only users in the openvpn group then auth will fail.

            viktor_gV 1 Reply Last reply Reply Quote 0
            • viktor_gV
              viktor_g Netgate @maxxer
              last edited by

              @maxxer can you show your server's LDAP group object in LDIF format?

              maxxerM 1 Reply Last reply Reply Quote 0
              • maxxerM
                maxxer @viktor_g
                last edited by

                @viktor_g here it is:

                dn: cn=openvpn,ou=Groups,dc=domain,dc=it
                objectClass: sambaGroupMapping
                objectClass: posixGroup
                sambaGroupType: 2
                sambaSID: S-1-5-21-446527113-4133352199-1973987425-21005
                gidNumber: 10002
                cn: openvpn
                memberUid: tizi.caio
                memberUid: yetopen
                structuralObjectClass: posixGroup
                entryUUID: 5cad3dca-f631-1039-949d-3979f74ed655
                creatorsName: cn=admin,dc=domain,dc=it
                createTimestamp: 20200309090901Z
                entryCSN: 20200831131707.214353Z#000000#000#000000
                modifiersName: cn=admin,dc=domain,dc=it
                modifyTimestamp: 20200831131707Z
                
                1 Reply Last reply Reply Quote 0
                • S
                  sysgone
                  last edited by

                  Hi,
                  every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:

                  example:
                  filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
                  filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
                  filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"

                  filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
                  filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."

                  Why if attributes != memberuid, they are changed to "?attribute" ?
                  This is probably why the groups are not showing up :/

                  viktor_gV F 2 Replies Last reply Reply Quote 0
                  • viktor_gV
                    viktor_g Netgate @sysgone
                    last edited by

                    @sysgone Please provide more info about your configuration and create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html

                    1 Reply Last reply Reply Quote 0
                    • F
                      fabriciogcbh @sysgone
                      last edited by

                      @sysgone

                      @sysgone said in LDAP group membership:

                      Hi,
                      every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:

                      example:
                      filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
                      filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
                      filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"

                      filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
                      filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."

                      Why if attributes != memberuid, they are changed to "?attribute" ?
                      This is probably why the groups are not showing up :/

                      Hi, I'm having the same problem, has anyone found a solution?

                      Today I have my openvpn and firewall in separate services on bsd, everything works perfectly, but it's an old machine, I need to update the services, I'm migrating to pfsense, and I can't manage the filter by groups.
                      I installed version 2.7.0 of pfsense, I found several videos and documents of people using the "extended query", but they were all Microsoft AD.

                      I use Openldap, monitoring the ldap server, I saw that the extended query for the group goes together with the user filter, because of this all the rules fail authentication

                      I have tested user filters and it works well.
                      No group filter parameters work.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        This?: https://redmine.pfsense.org/issues/13093

                        F 1 Reply Last reply Reply Quote 0
                        • F
                          fabriciogcbh @stephenw10
                          last edited by

                          @stephenw10 said in LDAP group membership:

                          This?: https://redmine.pfsense.org/issues/13093

                          This is exactly my problem, surprised to be on the list for a year.

                          Based on Jim Pingle's solution, I made several attempts, even using Apache Directory Studio, I came up with a solution,

                          Jim Pingle Solution
                          &(objectClass=posixGroup)(cn=VPNUsers)(memberUid=) --> doesn't work for me
                          &(objectClass=posixGroup)(cn=VPNUsers)(member=) --> works for me

                          Jim Pingle Result
                          (&(memberUid=jimp)(&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=*)))

                          My result
                          (&(member=uid=jimp,ou=people,dc=myserver,dc=example,dc=com)(&(objectClass=posixGroup)(cn=VPNUsers)(member=*)))

                          Detail that I needed to change,
                          Group member Attribute = member
                          Didn't work with memberOf or memberUid

                          My version
                          OpenLDAP: slapd (May 23 2018 04:25:19) $
                          Debian OpenLDAP Maintainers

                          Thank you very much for your feedback

                          F 1 Reply Last reply Reply Quote 2
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Nice result! 👍

                            1 Reply Last reply Reply Quote 0
                            • F
                              fabriciogcbh @fabriciogcbh
                              last edited by

                              @fabriciogcbh said in LDAP group membership:

                              correcting a flaw in the post. it looks like the site removed characters. I couldn't edit, editing timed out.

                              Jim Pingle Solution
                              doesn't work for me

                              &(objectClass=posixGroup)(cn=VPNUsers)(memberUid=*)
                              

                              works for me

                              &(objectClass=posixGroup)(cn=VPNUsers)(member=*)
                              
                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.