LDAP group membership
-
I'm trying to restrict pfSense LDAP authentication to the users belonging only to a specific LDAP group.
I configured the Authentication Servers as per documentation but apparently pfSense is unable to obtain user's groups membership. The server is OpenLDAP, the configuration is:
- Search Scope: one level
- BaseDN: dc=DOMAIN,dc=it
- Authentication containers: ou=Users
- User naming attribute: uid
- Group naming attribute: cn
- Group member attribute: memberUid
- RFC 2307 Groups: enabled
- Group Object Class: posixGroup
Auth test works but it appears unable to retrieve groups membership:
User yetopen authenticated successfully. This user is a member of groups:
And if I enable Extended query (tried a lot of different config, latest
memberOf=CN=openvpn,OU=Groups,DC=DOMAIN,DC=it) it won't authenticate the user.I did hours of searches, tried different configs but I'm unable to make LDAP groups work.
pfSense 2.4.3, openLDAP 2.4.42.
Thanks
-
https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html#group-membership:
For pfSense to see a group from LDAP, a local group must exist on pfSense with an identical name to the group on the LDAP server.also check this: https://redmine.pfsense.org/issues/9527
-
@viktor_g I did spot the docs about the required group, but didn't about the patch! Thank you, I'll upgrade and see if it's fixed.
-
@viktor_g I've upgraded pfSense to latest stable 2.4.5 and, with my disappointment, a patch merged nearly one year ago isn't present yet :(
I manually patchedauth.incbut I'm still unable to filter users by group.
If I disable the Extended query param and perform a test auth pfSense now fetches user groups.But if I add
(&(objectClass=posixGroup)(cn=openvpn)(memberUid=*))to the extended query filter in order to restrict only users in the openvpn group then auth will fail. -
@maxxer can you show your server's LDAP group object in LDIF format?
-
@viktor_g here it is:
dn: cn=openvpn,ou=Groups,dc=domain,dc=it objectClass: sambaGroupMapping objectClass: posixGroup sambaGroupType: 2 sambaSID: S-1-5-21-446527113-4133352199-1973987425-21005 gidNumber: 10002 cn: openvpn memberUid: tizi.caio memberUid: yetopen structuralObjectClass: posixGroup entryUUID: 5cad3dca-f631-1039-949d-3979f74ed655 creatorsName: cn=admin,dc=domain,dc=it createTimestamp: 20200309090901Z entryCSN: 20200831131707.214353Z#000000#000#000000 modifiersName: cn=admin,dc=domain,dc=it modifyTimestamp: 20200831131707Z -
Hi,
every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:example:
filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."Why if attributes != memberuid, they are changed to "?attribute" ?
This is probably why the groups are not showing up :/ -
@sysgone Please provide more info about your configuration and create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html
-
@sysgone said in LDAP group membership:
Hi,
every time, when I try to change "Group member attribute" from memberUid to others I see wrong filter in my logs on LDAP server:example:
filter: (&(objectClass=posixGroup)(memberUid=test@gmail.com)) - correct
filter: (&(objectClass=posixGroup)(?memberuida=test@gmail.com)) - wrong, I know "memberuida" as attribute not exist, but why arrtibute has "?name"
filter: (&(objectClass=groupOfUniqueNames)(memberUid=test@gmail.com)) - wrong objectClass BUT! attribute is ok: "memberUid"filter: (&(objectClass=groupOfUniqueNames)(?memberOf=test@gmail.com)) - wrong, attributes "?memberOf"
filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=%s=test@gmail.com)) - wrong "?unique...."Why if attributes != memberuid, they are changed to "?attribute" ?
This is probably why the groups are not showing up :/Hi, I'm having the same problem, has anyone found a solution?
Today I have my openvpn and firewall in separate services on bsd, everything works perfectly, but it's an old machine, I need to update the services, I'm migrating to pfsense, and I can't manage the filter by groups.
I installed version 2.7.0 of pfsense, I found several videos and documents of people using the "extended query", but they were all Microsoft AD.I use Openldap, monitoring the ldap server, I saw that the extended query for the group goes together with the user filter, because of this all the rules fail authentication
I have tested user filters and it works well.
No group filter parameters work. -
-
@stephenw10 said in LDAP group membership:
This is exactly my problem, surprised to be on the list for a year.
Based on Jim Pingle's solution, I made several attempts, even using Apache Directory Studio, I came up with a solution,
Jim Pingle Solution
&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=) --> doesn't work for me
&(objectClass=posixGroup)(cn=VPNUsers)(member=) --> works for meJim Pingle Result
(&(memberUid=jimp)(&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=*)))My result
(&(member=uid=jimp,ou=people,dc=myserver,dc=example,dc=com)(&(objectClass=posixGroup)(cn=VPNUsers)(member=*)))Detail that I needed to change,
Group member Attribute = member
Didn't work with memberOf or memberUidMy version
OpenLDAP: slapd (May 23 2018 04:25:19) $
Debian OpenLDAP MaintainersThank you very much for your feedback
-
Nice result!
-
@fabriciogcbh said in LDAP group membership:
correcting a flaw in the post. it looks like the site removed characters. I couldn't edit, editing timed out.
Jim Pingle Solution
doesn't work for me&(objectClass=posixGroup)(cn=VPNUsers)(memberUid=*)works for me
&(objectClass=posixGroup)(cn=VPNUsers)(member=*)
