OpenLDAP auth backend - how to get groups back?
-
I've got an OpenLDAP directory of the form:
server.localdomain dc=localdomain ou=Groups cn=AGroup ou=People uid=User
I can get the auth to work against the users by setting
Authentication containers : ou=People,dc=localdomain User naming attribute : uid
However, it fails as soon as I try to get the group names returned, so the user is never reported as being a member of a group. Membership is stored in the 'uniquemember' attribute of the group, so I've set:
Extended query : ou=Groups,dc=localdomain Group naming attribute : cn Group member attribute : uniquemember
This doesn't work, possibly because the 'uniquemember' attribute holds 'uid=User,ou=People,dc=localdomain' (this is created automatically within the directory and can't be changed).
Is there anything I can do to get this working, perhaps with the 'Extended Query' value?
ADDED:
Forgot to mention, this is for 2.1.
-
Give this example a try:
https://doc.pfsense.org/index.php/LDAP_Troubleshooting#Extended_Query -
Thanks, that looks the same as something that resulted in me making some changes based on the post at http://forum.pfsense.org/index.php?topic=48961.0, so I've now got a 'memberOf' attribute for each user.
Extended query : memberOf=cn=AGroup,ou=Groups,dc=localdomain Group naming attribute : cn Group member attribute : memberOf
This resulted in the auth passing only if the user is a member of the group, but the group name still doesn't get returned - it's simply being passed on the 'Extended query' finding a match. The means the user can login, but they get "No pages assigned".
BTW, the name specified in the 'Group naming attribute' doesn't look like it's being used - I can set it to 'thiscanbeanything' and an auth test will pass. I've had a look at the code for ldap_get_groups() in auth.inc:
if(is_array($info[0][$ldapgroupattribute])) { /* Iterate through the groups and throw them into an array */ foreach ($info[0][$ldapgroupattribute] as $member) { if (stristr($member, "CN=") !== false) { $membersplit = explode(",", $member); $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
Should this be using the 'Group naming attribute' rather than being hard-coded to 'CN'?
I've got a solution that I can usel. I've modified my LDAP directory (easy in this case as it's a new install ;)) so that the users have a memberOf attribute which is built up automatically from the group objects (using the memberOf plugin within 389 Directory Server). That way I don't need the "Extended query" at all.
-
I submitted a pull request a while back in this area (https://github.com/pfsense/pfsense/pull/36), but it looks a bit orphaned ;)
Not quite the same, but this did make the auth work with nicely with openLDAP.