PfSense 2.1 - LDAP group membership



  • Hi,

    Can someone explain if the "Extended Query" option is to verify group membership?

    If yes, how can i use it?

    I've defined like this:

    Authentication containers: ou=MYOU,dc=xpto,dc=pt;ou=PARTNERS,dc=xpto,dc=pt
    Extended Query: CN=openvpn,CN=Users,DC=xpto,DC=pt

    But it fails the authentication.

    Doing a tcp capture the searchRequest goes like this:

    Filter: (&(samaccountname=myuser)(CN=openvpn,CN=Users,DC=xpto,DC=pt))

    Which is wrong.



  • i think a correct filter is:

    (&(samaccountname=myuser)(memberOf=CN=openvpn,CN=Users,DC=xpto,DC=pt))

    or if you use active directory and want to recursive search.

    (&(samaccountname=myuser)(memberOf:1.2.840.113556.1.4.1941:=CN=openvpn,CN=Users,DC=xpto,DC=pt))



  • @traxanos:

    i think a correct filter is:

    (&(samaccountname=myuser)(memberOf=CN=openvpn,CN=Users,DC=xpto,DC=pt))

    or if you use active directory and want to recursive search.

    (&(samaccountname=myuser)(memberOf:1.2.840.113556.1.4.1941:=CN=openvpn,CN=Users,DC=xpto,DC=pt))

    Ok, configuring Extended Query with memberOf=CN=openvpn,CN=Users,DC=xpto,DC=pt works.

    Thankx.



  • mvrk,

    Wondering what snapshot you are using. I haven't been able to get LDAP authentication working ever since I started testing. Regardless of what userid I try to log in with, the search request that is sent to the domain controller (seen with wireshark on the DC) is always "(samaccountname=admin)".

    This is true for both trying to actually log in to the web configurator as well as trying to test authentication from the Diagnostics menu.

    I am on 2.1-RC1 (amd64) Aug 1 19:39:18 EDT 2013.

    Thanks,

    Shahid



  • Doh!! My bad. It is working just fine. My Extended Query syntax was incorrect.


Log in to reply