[SOLVED] [Potential Bug] LDAP/RADIUS Authentication



  • Hey guys,

    I've been playing with OpenLDAP and AD (coupled with FreeRADIUS, and NAP on the AD DS side) and have noticed a couple peculiar things as follows…

    OpenLDAP:
    Having created a couple groups and a few users, I set up LDAP authentication from the Users section. Authentication worked fine, but no groups would ever be returned. When an actual test was run from the login page (versus Diagnostics->Authentication), the message of no pages assigned would be returned.

    FreeRADIUS:
    Hoping that using a RADIUS box would solve the issue, I set it up. Sadly, I wound up with the same results. Successful login, no groups assigned.

    Notes:
    Jason McNeil wrote up a post about pfSense doing weird things with LDAP. The only way he was able to get LDAP authentication to work was by adding in extraneous OU entries for individual users. Doing things this way is a hack around method that now no longer conforms to the RFC. You can find his post here The group name was added to pfSense with proper permissions assigned, though that never mattered as the LDAP user never had groups returned.

    AD DS:
    I'm using Windows Server 2012. I've got a couple test users and groups set up that can authenticate to the domain, each one belonging to a handful of groups. Each can log in and have personalized settings, yadda yadda.

    SAP:
    NAP (Network Policy and Access Services) [the snap-in that does RADIUS] is configured and working properly. I can authenticate against it from the WebUI as well as locally. The same issue arises how ever - the user authenticates, but never gets any groups returned. Same result as when testing with OpenLDAP and FreeRADIUS

    Conclusion:
    I believe this is a bug with pfSense in the way that it queries for user information to both RADIUS and LDAP, especially given the support from Jason and his work around using extraneous OU's. I would love some confirmation on this, or just thoughts in general. CentralAuth is something that I would really love to see as a feature of pfSense so that I can bring it into my working environment.

    If I can help in any way further, please don't hesitate to message me on the forums.

    Cheers,
    Geudrik


  • Rebel Alliance Developer Netgate

    The problem is that there just isn't code for the pfSense GUI to pull groups from RADIUS or LDAP currently.

    You have to make the groups on pfSense in the user manager and make dummy users and add them to the groups, and then it will recognize that the users are part of groups that pfSense can interpret.

    I believe there is already an open ticket for that somewhere. It won't get fixed for 2.1, but maybe 2.2.



  • Cheers, Jimp! Thank's for the info!


Log in to reply