So I'm trying to set up LDAP authentication. Just LDAP, nothing with Radius. The actual authentication seems to work fine, but it isn't picking up users' groups.
I am just about the furthest one could be from an LDAP expert as it's been about a decade since I did anything serious in LDAP. Still this should be fairly simple. At the moment I'm reading through the pfSense PHP code trying to figure out how the groups are specified in LDAP, but surely they are done so in a standard way. I'm just not sure of the lingo I'm looking for.
All I'm trying to understand is how the LDAP should look for pfSense to use it for authentication.
I guess what I'm asking is which schemas have a member attribute for the person objectClass that fits what pfSense is expecting?
From the PHP code, it looks like pfSense is expecting member (or whatever you set it to be) to contain a list of DNs. It iterates through the list and throws away everything except the CN. For the life of me, I can't find an attribute that is a list of DNs.
I know I am not going to be much help at all but am sure I've read in earlier postings for some thing similar if not the same.
From what I remember pfsense cannot natively do this but some people have manually added a samba package whcih then allows ldap authentication.
Am guessing you want to allow for example is an ad security group for ftp access and another for http access? Something I would also like to see but sadly very very well out of my league to manually setup.
Again, apologies not much help but maybe searching for samba might throw something up?
Hey, thanks for trying FlashPan. We're all in this together.
So we're not using AD (yet). At the moment, it's just a separate box (a VM actually) running OpenLDAP. Since we now have about a dozen services that can use LDAP to authenticate, we're trying to go that route. pfSense is just one of these services.
The good news is that we figured out how to get this working with pfSense…kind of. By adding a 'manager' attribute to Person objects, setting a manager to point to a DN that starts with cn=SOMEGROUP, making sure that there is a pfSense group names SOMEGROUP, and finally setting pfSense's group member attribute to 'manager', it works.
The only issue we have is that using the manager attribute to store group membership is disgusting. I'm hoping that we learn something while setting up an AD service (through Samba4).