• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenLDAP auth backend - how to get groups back?

Scheduled Pinned Locked Moved webGUI
4 Posts 2 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    keylevel
    last edited by Nov 21, 2013, 4:32 PM Nov 21, 2013, 4:11 PM

    I've got an OpenLDAP directory of the form:

    
    server.localdomain
      dc=localdomain
        ou=Groups
          cn=AGroup
        ou=People
          uid=User
    
    

    I can get the auth to work against the users by setting

    
      Authentication containers  :  ou=People,dc=localdomain
      User naming attribute      : uid
    
    

    However, it fails as soon as I try to get the group names returned, so the user is never reported as being a member of a group. Membership is stored in the 'uniquemember' attribute of the group, so I've set:

    
      Extended query          : ou=Groups,dc=localdomain
      Group naming attribute  :  cn
      Group member attribute  :  uniquemember
    
    

    This doesn't work, possibly because the 'uniquemember' attribute holds 'uid=User,ou=People,dc=localdomain' (this is created automatically within the directory and can't be changed).

    Is there anything I can do to get this working, perhaps with the 'Extended Query' value?

    ADDED:

    Forgot to mention, this is for 2.1.

    Chris

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Nov 22, 2013, 6:04 PM

      Give this example a try:
      https://doc.pfsense.org/index.php/LDAP_Troubleshooting#Extended_Query

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • K
        keylevel
        last edited by Nov 22, 2013, 8:33 PM

        Thanks, that looks the same as something that resulted in me making some changes based on the post at http://forum.pfsense.org/index.php?topic=48961.0, so I've now got a 'memberOf' attribute for each user.

        
          Extended query          : memberOf=cn=AGroup,ou=Groups,dc=localdomain
          Group naming attribute  :  cn
          Group member attribute  :  memberOf
        
        

        This resulted in the auth passing only if the user is a member of the group, but the group name still doesn't get returned - it's simply being passed on the 'Extended query' finding a match. The means the user can login, but they get "No pages assigned".

        BTW, the name specified in the 'Group naming attribute' doesn't look like it's being used - I can set it to 'thiscanbeanything' and an auth test will pass. I've had a look at the code for ldap_get_groups() in auth.inc:

                if(is_array($info[0][$ldapgroupattribute])) {
                        /* Iterate through the groups and throw them into an array */
                        foreach ($info[0][$ldapgroupattribute] as $member) {
                                if (stristr($member, "CN=") !== false) {
                                        $membersplit = explode(",", $member);
                                        $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
        

        Should this be using the 'Group naming attribute' rather than being hard-coded to 'CN'?

        I've got a solution that I can usel. I've modified my LDAP directory (easy in this case as it's a new install  ;)) so that the users have a memberOf attribute which is built up automatically from the group objects (using the memberOf plugin within 389 Directory Server). That way I don't need the "Extended query" at all.

        Chris

        1 Reply Last reply Reply Quote 0
        • K
          keylevel
          last edited by Nov 22, 2013, 8:39 PM

          I submitted a pull request a while back in this area (https://github.com/pfsense/pfsense/pull/36), but it looks a bit orphaned ;)

          Not quite the same, but this did make the auth work with nicely with openLDAP.

          Chris

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received