LDAP group membership
maxxer last edited by maxxer
I'm trying to restrict pfSense LDAP authentication to the users belonging only to a specific LDAP group.
I configured the Authentication Servers as per documentation but apparently pfSense is unable to obtain user's groups membership. The server is OpenLDAP, the configuration is:
- Search Scope: one level
- BaseDN: dc=DOMAIN,dc=it
- Authentication containers: ou=Users
- User naming attribute: uid
- Group naming attribute: cn
- Group member attribute: memberUid
- RFC 2307 Groups: enabled
- Group Object Class: posixGroup
Auth test works but it appears unable to retrieve groups membership:
User yetopen authenticated successfully. This user is a member of groups:
And if I enable Extended query (tried a lot of different config, latest
memberOf=CN=openvpn,OU=Groups,DC=DOMAIN,DC=it) it won't authenticate the user.
I did hours of searches, tried different configs but I'm unable to make LDAP groups work.
pfSense 2.4.3, openLDAP 2.4.42.
viktor_g last edited by viktor_g
For pfSense to see a group from LDAP, a local group must exist on pfSense with an identical name to the group on the LDAP server.
also check this: https://redmine.pfsense.org/issues/9527
@viktor_g I did spot the docs about the required group, but didn't about the patch! Thank you, I'll upgrade and see if it's fixed.
@viktor_g I've upgraded pfSense to latest stable 2.4.5 and, with my disappointment, a patch merged nearly one year ago isn't present yet :(
I manually patched
auth.incbut I'm still unable to filter users by group.
If I disable the Extended query param and perform a test auth pfSense now fetches user groups.
But if I add
(&(objectClass=posixGroup)(cn=openvpn)(memberUid=*))to the extended query filter in order to restrict only users in the openvpn group then auth will fail.
viktor_g last edited by
@maxxer can you show your server's LDAP group object in LDIF format?
@viktor_g here it is:
dn: cn=openvpn,ou=Groups,dc=domain,dc=it objectClass: sambaGroupMapping objectClass: posixGroup sambaGroupType: 2 sambaSID: S-1-5-21-446527113-4133352199-1973987425-21005 gidNumber: 10002 cn: openvpn memberUid: tizi.caio memberUid: yetopen structuralObjectClass: posixGroup entryUUID: 5cad3dca-f631-1039-949d-3979f74ed655 creatorsName: cn=admin,dc=domain,dc=it createTimestamp: 20200309090901Z entryCSN: 20200831131707.214353Z#000000#000#000000 modifiersName: cn=admin,dc=domain,dc=it modifyTimestamp: 20200831131707Z
every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:
filter: (&(objectClass=posixGroup)(memberUidemail@example.com)) - correct
filter: (&(objectClass=posixGroup)(?firstname.lastname@example.org)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
filter: (&(objectClass=groupOfUniqueNames)(memberUidemail@example.com)) - wrong objectClass BUT! attribute is ok: "memberUid"
filter: (&(objectClass=groupOfUniqueNames)(?memberOffirstname.lastname@example.org)) - wrong, attributes "?memberOf"
filter: (&(objectClass=groupOfUniqueNames)(?uniqueMemberemail@example.com)) - wrong "?unique...."
Why if attributes != memberuid, they are changed to "?attribute" ?
This is probably why the groups are not showing up :/
viktor_g last edited by
@sysgone Please provide more info about your configuration and create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html