LDAP authentication support

Juve

Hello all,

Are you planing to implement LDAP authentication for both VPN(PPTP) and Captive Portal. It would be great…really
I am interested about implementing this, what is the software used to create the captive portal ? can we modify it to allow LDAP authentication ?

Thanks a lot.

sullrich

We have no immediate plans however if you want to take on this project that would be excellent.

The captive portal is basically custom php code + firewall rules.

Scott

Guest

This is actually a harder project than one might originally suspect after looking at it.  Since there aren't any universal LDAP schema you'd have to come up with a couple of templates for handling some of the most common LDAP-based products (Active Directory, eDirectory, Red Hat DS, et al.)  You would also have to have some mechanism for forcing the client machine to send authentication credentials with the connection requests.  The way that this is done with squid+ntlm_auth is to put proxy settings into the browser, which will then send auth credentials with each outbound http connection.  The only way I've ever seen something like this work universally would be to put a small software client on the client machine that would append auth credentials to each new outbound connection.  This solution works with varying rates of success.

It would be undeniably cool, but a hell of a lot of work.

Juve

Hum I was thinking of something much easier like this (to work against an OpenLDAP server or FDS) :

Since the captive portal looks into a local user database  for authentication, why not adding a pam support ?

Currently, pfsense do not have pam support, but if it had it, we could use the pam_ldap module. We would then have to add a php module to handle the configuration for this.

But, more easier, there is a lot of php scripts that perform LDAP authentication without using any system module, it would be ok for the captive portal (pptp VPN is another stuff…)

like this one :

$ldapconfig['host'] = 'localhost';
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=localhost,dc=com';
$ldapconfig['authrealm'] = 'My Realm';

function ldap_authenticate() {
    global $ldapconfig;
    global $PHP_AUTH_USER;
    global $PHP_AUTH_PW;

if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
        $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
        $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' . $PHP_AUTH_USER);
        if ($r) {
            $result = @ldap_get_entries( $ds, $r);
            if ($result[0]) {
                if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
                    return $result[0];
                }
            }
        }
    }
    header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
    header('HTTP/1.0 401 Unauthorized');
    return NULL;
}

But php need to be compiled with LDAP support.

What do you think about adding a php LDAP authentication Scott ? Do you think it is doable or it's a lot of work ?

Thanks a lot, i will try php scripts on my own, to see if it is doable in an easy way.

Juve

This source is pretty good :

http://www.scit.wlv.ac.uk/~jphb/sst/php/extra/ldap.html

And, if we trust the author, it is compatible with Active Directory….

sullrich

I think its a great idea if you want to invest some time to see how well it works.  Maybe even mock up a working prototype that can be enhanced/refined.

Juve

I will try to get the code working in a first time. Then I will make a list of the data fields that need to be configured.

I hope it will work, it would be great to have a captive portal with LDAP authentication

Juve

I'm done with it  ;D

So I wrote a function that handle the LDAP authentication (errors and all that stuff).
The ldap authentication need 7 parameters to handle anonymous and/or authenticated searches.

I've tested it with an openldap server and also an FDS server. I'm installing a 2K3 system to test it ;-)

I could not test it  on my pfsens test box since it has php 4.4 without ldap support :-(

I'll try to get in touch with you Scott, on IRC or by pm on this forum.

hoba

Great news and good job!  ;D

sullrich

Get in touch with me on freenode, handle is GeekGod.

Good work!

Juve

Ok ;-)

So after many tests, LDAP authentication works with :

• openLDAP
• Fedora Directory Server (FDS=sunone)
• Active Directory (W2K3)

sullrich

Next step is to integrate Auth for the web interface, then move on to captive portal, pppoe and such.  It actually should be pretty easy to do these portions.

Juve

Yes, and also to have php compiled with the ldap support on the next pfsense release ;-)

sullrich

No problem.

Juve

I saw on the CVS track timeline that compilation wasn't ok. What's up ? what is the problem ? Can we repair it ?

sullrich

Cannot compile LDAP in as static.

Will address after the 1.0 release.

Juve

Ok, contact me as soon as it is available ;-)

Juve

Hi ;-)

I have made a new version of the LDAP authentication function that allow the admin to specify a list of groups (memberOf in LDAP) where the authorized users should be.
In fact I wrote it because of Active Directory, it is easier for the admin to create a group and put authorized users into than creating a whole new OU.

So now, the admin of the Active directory can tell the function that only the "managers" and "business people" groups (of the OU of their dreams) can authenticate through the captive portal.

Tell me if you are interested Scott ;-)

aldo

it sounds great do we think it will be compatable with openldap

hoba

@Juve:

Ok ;-)

So after many tests, LDAP authentication works with :

• openLDAP
• Fedora Directory Server (FDS=sunone)
• Active Directory (W2K3)

I guess you have missed that message  ::)

sullrich

@Juve:

Hi ;-)

I have made a new version of the LDAP authentication function that allow the admin to specify a list of groups (memberOf in LDAP) where the authorized users should be.
In fact I wrote it because of Active Directory, it is easier for the admin to create a group and put authorized users into than creating a whole new OU.

So now, the admin of the Active directory can tell the function that only the "managers" and "business people" groups (of the OU of their dreams) can authenticate through the captive portal.

Tell me if you are interested Scott ;-)

Sounds great.  When are you going to start integrating with pfSense? :)

Juve

I will start it as soon as possible. First of all, I need to see how pfsense saves settings, then I will do the mfc changes, then I will call on you to build a release with php+ldap :-D

Let's go to work :-D

Juve

That's done ;-)

I've modified the captive_portal page too, in order to use my function. Next step is LDAP support for Php ;-)

Pfsense roxxx !

hoba

Awesome! You rock too  ;D

Guest

All of you guys rock.  Even billm.

billm

@submicron:

All of you guys rock.  Even billm.

Nah, I don't rock, I stone.

–Bill

wjoyce

Curious to know what the time frame is on LDAP support and what will be supported.  May I humbly suggest a FAQ just on LDAP support?

sullrich

1.1.  Not for a LONNNNNG time.

wjoyce

What are the issues?  I would like to help out on this front if I am capable.

billm

@wjoyce:

What are the issues?  I would like to help out on this front if I am capable.

Well…1.0 isn't released yet.  Can't release 1.1 until that's out.  Then comes some amount of time for development of new features (this would be one of them - albeit developed already).  Then people test, eventually we get to beta, then release.

Three ways to help.  Write code, test and give good bug reports, donate something to help get the devs stuff they want/need for other pfsense work.

--Bill