• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LDAP authentication support

Scheduled Pinned Locked Moved General pfSense Questions
30 Posts 7 Posters 25.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Juve
    last edited by Dec 26, 2005, 9:42 PM

    Hello all,

    Are you planing to implement LDAP authentication for both VPN(PPTP) and Captive Portal. It would be great…really
    I am interested about implementing this, what is the software used to create the captive portal ? can we modify it to allow LDAP authentication ?

    Thanks a lot.

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Dec 26, 2005, 9:54 PM

      We have no immediate plans however if you want to take on this project that would be excellent.

      The captive portal is basically custom php code + firewall rules.

      Scott

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by Dec 26, 2005, 11:45 PM

        This is actually a harder project than one might originally suspect after looking at it.  Since there aren't any universal LDAP schema you'd have to come up with a couple of templates for handling some of the most common LDAP-based products (Active Directory, eDirectory, Red Hat DS, et al.)  You would also have to have some mechanism for forcing the client machine to send authentication credentials with the connection requests.  The way that this is done with squid+ntlm_auth is to put proxy settings into the browser, which will then send auth credentials with each outbound http connection.  The only way I've ever seen something like this work universally would be to put a small software client on the client machine that would append auth credentials to each new outbound connection.  This solution works with varying rates of success.

        It would be undeniably cool, but a hell of a lot of work.

        1 Reply Last reply Reply Quote 0
        • J
          Juve
          last edited by Dec 27, 2005, 11:22 AM

          Hum I was thinking of something much easier like this (to work against an OpenLDAP server or FDS) :

          Since the captive portal looks into a local user database  for authentication, why not adding a pam support ?

          Currently, pfsense do not have pam support, but if it had it, we could use the pam_ldap module. We would then have to add a php module to handle the configuration for this.

          But, more easier, there is a lot of php scripts that perform LDAP authentication without using any system module, it would be ok for the captive portal (pptp VPN is another stuff…)

          like this one :

          $ldapconfig['host'] = 'localhost';
          $ldapconfig['port'] = NULL;
          $ldapconfig['basedn'] = 'dc=localhost,dc=com';
          $ldapconfig['authrealm'] = 'My Realm';

          function ldap_authenticate() {
              global $ldapconfig;
              global $PHP_AUTH_USER;
              global $PHP_AUTH_PW;

          if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
                  $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
                  $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' . $PHP_AUTH_USER);
                  if ($r) {
                      $result = @ldap_get_entries( $ds, $r);
                      if ($result[0]) {
                          if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
                              return $result[0];
                          }
                      }
                  }
              }
              header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
              header('HTTP/1.0 401 Unauthorized');
              return NULL;
          }

          But php need to be compiled with LDAP support.

          What do you think about adding a php LDAP authentication Scott ? Do you think it is doable or it's a lot of work ?

          Thanks a lot, i will try php scripts on my own, to see if it is doable in an easy way.

          1 Reply Last reply Reply Quote 0
          • J
            Juve
            last edited by Dec 27, 2005, 1:34 PM

            This source is pretty good :

            http://www.scit.wlv.ac.uk/~jphb/sst/php/extra/ldap.html

            And, if we trust the author, it is compatible with Active Directory….

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by Dec 27, 2005, 7:08 PM

              I think its a great idea if you want to invest some time to see how well it works.  Maybe even mock up a working prototype that can be enhanced/refined.

              1 Reply Last reply Reply Quote 0
              • J
                Juve
                last edited by Dec 28, 2005, 8:35 AM

                I will try to get the code working in a first time. Then I will make a list of the data fields that need to be configured.

                I hope it will work, it would be great to have a captive portal with LDAP authentication

                1 Reply Last reply Reply Quote 0
                • J
                  Juve
                  last edited by Dec 28, 2005, 11:12 AM

                  I'm done with it  ;D

                  So I wrote a function that handle the LDAP authentication (errors and all that stuff).
                  The ldap authentication need 7 parameters to handle anonymous and/or authenticated searches.

                  I've tested it with an openldap server and also an FDS server. I'm installing a 2K3 system to test it ;-)

                  I could not test it  on my pfsens test box since it has php 4.4 without ldap support :-(

                  I'll try to get in touch with you Scott, on IRC or by pm on this forum.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by Dec 28, 2005, 2:59 PM

                    Great news and good job!  ;D

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by Dec 28, 2005, 7:21 PM

                      Get in touch with me on freenode, handle is GeekGod.

                      Good work!

                      1 Reply Last reply Reply Quote 0
                      • J
                        Juve
                        last edited by Dec 29, 2005, 9:59 AM

                        Ok ;-)

                        So after many tests, LDAP authentication works with :

                        • openLDAP
                        • Fedora Directory Server (FDS=sunone)
                        • Active Directory (W2K3)
                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by Dec 29, 2005, 8:14 PM

                          Next step is to integrate Auth for the web interface, then move on to captive portal, pppoe and such.  It actually should be pretty easy to do these portions.

                          1 Reply Last reply Reply Quote 0
                          • J
                            Juve
                            last edited by Dec 30, 2005, 12:55 PM

                            Yes, and also to have php compiled with the ldap support on the next pfsense release ;-)

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by Dec 30, 2005, 5:59 PM

                              No problem.

                              1 Reply Last reply Reply Quote 0
                              • J
                                Juve
                                last edited by Dec 30, 2005, 9:46 PM

                                I saw on the CVS track timeline that compilation wasn't ok. What's up ? what is the problem ? Can we repair it ?

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by Dec 30, 2005, 9:53 PM

                                  Cannot compile LDAP in as static.

                                  Will address after the 1.0 release.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    Juve
                                    last edited by Dec 30, 2005, 10:01 PM

                                    Ok, contact me as soon as it is available ;-)

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      Juve
                                      last edited by Jan 2, 2006, 11:39 AM Jan 2, 2006, 11:37 AM

                                      Hi ;-)

                                      I have made a new version of the LDAP authentication function that allow the admin to specify a list of groups (memberOf in LDAP) where the authorized users should be.
                                      In fact I wrote it because of Active Directory, it is easier for the admin to create a group and put authorized users into than creating a whole new OU.

                                      So now, the admin of the Active directory can tell the function that only the "managers" and "business people" groups (of the OU of their dreams) can authenticate through the captive portal.

                                      Tell me if you are interested Scott ;-)

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        aldo
                                        last edited by Jan 2, 2006, 1:43 PM

                                        it sounds great do we think it will be compatable with openldap

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hoba
                                          last edited by Jan 2, 2006, 1:53 PM

                                          @Juve:

                                          Ok ;-)

                                          So after many tests, LDAP authentication works with :

                                          • openLDAP
                                          • Fedora Directory Server (FDS=sunone)
                                          • Active Directory (W2K3)

                                          I guess you have missed that message  ::)

                                          1 Reply Last reply Reply Quote 0
                                          1 out of 30
                                          • First post
                                            1/30
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received