• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenLDAP VPN user authentication restricted to group

Scheduled Pinned Locked Moved General pfSense Questions
7 Posts 3 Posters 3.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    maxxer
    last edited by Feb 27, 2013, 8:42 AM

    Hi.
    I'm tring to have VPN users authenticate against our local OpenLDAP server, and it almost works. I mean, I can authenticate users, but I cannot restrict it to a specific group
    Current settings:

    BaseDN: dc=domain,dc=it
    Authentication containers: ou=Users,dc=domain,dc=it
    User naming attribute: uid
    Group naming attribute: cn
    Group member attribute: memberUid

    And this is working. As I wish to restrict only vpn group members to login via VPN, I added the Extended Query:

    cn=vpn,ou=Groups,dc=domain,dc=it

    and this way auth doesn't work anymore.
    Why isn't it working? thanks

    1 Reply Last reply Reply Quote 0
    • A
      awm3
      last edited by Apr 2, 2013, 12:03 AM

      Did you ever have any success with this?

      I am trying to set up the same thing with pfSense 2.0.2.  I have my LDAP authentication working, and I can associate groups with users properly, but even with no privileges granted to the vpn group I still am able to create a VPN connection as any valid user.

      1 Reply Last reply Reply Quote 0
      • M
        maxxer
        last edited by Apr 2, 2013, 6:21 AM

        sadly not. Had no time to debug the issue since then, it's not a priority actually.

        1 Reply Last reply Reply Quote 0
        • C
          cybercare
          last edited by Apr 16, 2013, 10:20 PM

          I will assume this is a similar problem I had with MS AD.

          For "Extended Query" you have to include the group member attribute.

          For example for MS it's memberOf

          So for my Extended Query I have:

          memberOf= and the rest of the string as in the example. Seems silly as the example doesn't show it but I just set this up myself and went through it lol.

          For you try:

          memberUid=cn=vpn,ou=Groups,dc=domain,dc=it

          1 Reply Last reply Reply Quote 0
          • M
            maxxer
            last edited by Apr 17, 2013, 7:57 AM

            hi.
            thanks for you feedback, I tried your solution but didn't work in my environment.
            anyway your query is pretty unusual, also the examples in the advanced query say:

            Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

            so my cn=vpn,ou=Groups,dc=domain,dc=it should work. cannot understand why.

            1 Reply Last reply Reply Quote 0
            • C
              cybercare
              last edited by Apr 18, 2013, 4:15 PM

              @maxxer:

              hi.
              thanks for you feedback, I tried your solution but didn't work in my environment.
              anyway your query is pretty unusual, also the examples in the advanced query say:

              Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

              so my cn=vpn,ou=Groups,dc=domain,dc=it should work. cannot understand why.

              I would have thought the same but even found this post:

              http://forum.pfsense.org/index.php?topic=48961.0

              That user had to do the same thing, add memberOf:

              They did list a tool and how they tested and found it, you can try the same. I know mine worked right after I added the attribute in front. Of course keep in mind your attribute will be different as mine was A/D so as long as yours are all set right I don't know why it wouldn't work.

              1 Reply Last reply Reply Quote 0
              • M
                maxxer
                last edited by Apr 19, 2013, 6:39 AM

                thanks. Seems I have problems in my LDAP server, the search query returns nothing…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received