OpenLDAP VPN user authentication restricted to group



  • Hi.
    I'm tring to have VPN users authenticate against our local OpenLDAP server, and it almost works. I mean, I can authenticate users, but I cannot restrict it to a specific group
    Current settings:

    BaseDN: dc=domain,dc=it
    Authentication containers: ou=Users,dc=domain,dc=it
    User naming attribute: uid
    Group naming attribute: cn
    Group member attribute: memberUid

    And this is working. As I wish to restrict only vpn group members to login via VPN, I added the Extended Query:

    cn=vpn,ou=Groups,dc=domain,dc=it

    and this way auth doesn't work anymore.
    Why isn't it working? thanks



  • Did you ever have any success with this?

    I am trying to set up the same thing with pfSense 2.0.2.  I have my LDAP authentication working, and I can associate groups with users properly, but even with no privileges granted to the vpn group I still am able to create a VPN connection as any valid user.



  • sadly not. Had no time to debug the issue since then, it's not a priority actually.



  • I will assume this is a similar problem I had with MS AD.

    For "Extended Query" you have to include the group member attribute.

    For example for MS it's memberOf

    So for my Extended Query I have:

    memberOf= and the rest of the string as in the example. Seems silly as the example doesn't show it but I just set this up myself and went through it lol.

    For you try:

    memberUid=cn=vpn,ou=Groups,dc=domain,dc=it



  • hi.
    thanks for you feedback, I tried your solution but didn't work in my environment.
    anyway your query is pretty unusual, also the examples in the advanced query say:

    Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

    so my cn=vpn,ou=Groups,dc=domain,dc=it should work. cannot understand why.



  • @maxxer:

    hi.
    thanks for you feedback, I tried your solution but didn't work in my environment.
    anyway your query is pretty unusual, also the examples in the advanced query say:

    Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

    so my cn=vpn,ou=Groups,dc=domain,dc=it should work. cannot understand why.

    I would have thought the same but even found this post:

    http://forum.pfsense.org/index.php?topic=48961.0

    That user had to do the same thing, add memberOf:

    They did list a tool and how they tested and found it, you can try the same. I know mine worked right after I added the attribute in front. Of course keep in mind your attribute will be different as mine was A/D so as long as yours are all set right I don't know why it wouldn't work.



  • thanks. Seems I have problems in my LDAP server, the search query returns nothing…


Log in to reply