OpenLDAP auth backend - how to get groups back?



  • I've got an OpenLDAP directory of the form:

    
    server.localdomain
      dc=localdomain
        ou=Groups
          cn=AGroup
        ou=People
          uid=User
    
    

    I can get the auth to work against the users by setting

    
      Authentication containers  :  ou=People,dc=localdomain
      User naming attribute      : uid
    
    

    However, it fails as soon as I try to get the group names returned, so the user is never reported as being a member of a group. Membership is stored in the 'uniquemember' attribute of the group, so I've set:

    
      Extended query          : ou=Groups,dc=localdomain
      Group naming attribute  :  cn
      Group member attribute  :  uniquemember
    
    

    This doesn't work, possibly because the 'uniquemember' attribute holds 'uid=User,ou=People,dc=localdomain' (this is created automatically within the directory and can't be changed).

    Is there anything I can do to get this working, perhaps with the 'Extended Query' value?

    ADDED:

    Forgot to mention, this is for 2.1.


  • Rebel Alliance Developer Netgate



  • Thanks, that looks the same as something that resulted in me making some changes based on the post at http://forum.pfsense.org/index.php?topic=48961.0, so I've now got a 'memberOf' attribute for each user.

    
      Extended query          : memberOf=cn=AGroup,ou=Groups,dc=localdomain
      Group naming attribute  :  cn
      Group member attribute  :  memberOf
    
    

    This resulted in the auth passing only if the user is a member of the group, but the group name still doesn't get returned - it's simply being passed on the 'Extended query' finding a match. The means the user can login, but they get "No pages assigned".

    BTW, the name specified in the 'Group naming attribute' doesn't look like it's being used - I can set it to 'thiscanbeanything' and an auth test will pass. I've had a look at the code for ldap_get_groups() in auth.inc:

            if(is_array($info[0][$ldapgroupattribute])) {
                    /* Iterate through the groups and throw them into an array */
                    foreach ($info[0][$ldapgroupattribute] as $member) {
                            if (stristr($member, "CN=") !== false) {
                                    $membersplit = explode(",", $member);
                                    $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
    

    Should this be using the 'Group naming attribute' rather than being hard-coded to 'CN'?

    I've got a solution that I can usel. I've modified my LDAP directory (easy in this case as it's a new install  ;)) so that the users have a memberOf attribute which is built up automatically from the group objects (using the memberOf plugin within 389 Directory Server). That way I don't need the "Extended query" at all.



  • I submitted a pull request a while back in this area (https://github.com/pfsense/pfsense/pull/36), but it looks a bit orphaned ;)

    Not quite the same, but this did make the auth work with nicely with openLDAP.