OpenLDAP VPN user authentication restricted to group

maxxer · Feb 27, 2013, 8:42 AM

Hi.
I'm tring to have VPN users authenticate against our local OpenLDAP server, and it almost works. I mean, I can authenticate users, but I cannot restrict it to a specific group
Current settings:

BaseDN: dc=domain,dc=it
Authentication containers: ou=Users,dc=domain,dc=it
User naming attribute: uid
Group naming attribute: cn
Group member attribute: memberUid

And this is working. As I wish to restrict only vpn group members to login via VPN, I added the Extended Query:

cn=vpn,ou=Groups,dc=domain,dc=it

and this way auth doesn't work anymore.
Why isn't it working? thanks

awm3 · Apr 2, 2013, 12:03 AM

Did you ever have any success with this?

I am trying to set up the same thing with pfSense 2.0.2. I have my LDAP authentication working, and I can associate groups with users properly, but even with no privileges granted to the vpn group I still am able to create a VPN connection as any valid user.

maxxer · Apr 2, 2013, 6:21 AM

sadly not. Had no time to debug the issue since then, it's not a priority actually.

cybercare · Apr 16, 2013, 10:20 PM

I will assume this is a similar problem I had with MS AD.

For "Extended Query" you have to include the group member attribute.

For example for MS it's memberOf

So for my Extended Query I have:

memberOf= and the rest of the string as in the example. Seems silly as the example doesn't show it but I just set this up myself and went through it lol.

For you try:

memberUid=cn=vpn,ou=Groups,dc=domain,dc=it

maxxer · Apr 17, 2013, 7:57 AM

hi.
thanks for you feedback, I tried your solution but didn't work in my environment.
anyway your query is pretty unusual, also the examples in the advanced query say:

Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

so my cn=vpn,ou=Groups,dc=domain,dc=it should work. cannot understand why.

cybercare · Apr 18, 2013, 4:15 PM

@maxxer:

hi.
thanks for you feedback, I tried your solution but didn't work in my environment.
anyway your query is pretty unusual, also the examples in the advanced query say:

Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

so my cn=vpn,ou=Groups,dc=domain,dc=it should work. cannot understand why.

I would have thought the same but even found this post:

http://forum.pfsense.org/index.php?topic=48961.0

That user had to do the same thing, add memberOf:

They did list a tool and how they tested and found it, you can try the same. I know mine worked right after I added the attribute in front. Of course keep in mind your attribute will be different as mine was A/D so as long as yours are all set right I don't know why it wouldn't work.

maxxer · Apr 19, 2013, 6:39 AM

thanks. Seems I have problems in my LDAP server, the search query returns nothing…