Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenLDAP auth backend - how to get groups back?

    Scheduled Pinned Locked Moved webGUI
    4 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keylevel
      last edited by

      I've got an OpenLDAP directory of the form:

      
server.localdomain
  dc=localdomain
    ou=Groups
      cn=AGroup
    ou=People
      uid=User

      I can get the auth to work against the users by setting

      
  Authentication containers  :  ou=People,dc=localdomain
  User naming attribute      : uid

      However, it fails as soon as I try to get the group names returned, so the user is never reported as being a member of a group. Membership is stored in the 'uniquemember' attribute of the group, so I've set:

      
  Extended query          : ou=Groups,dc=localdomain
  Group naming attribute  :  cn
  Group member attribute  :  uniquemember

      This doesn't work, possibly because the 'uniquemember' attribute holds 'uid=User,ou=People,dc=localdomain' (this is created automatically within the directory and can't be changed).

      Is there anything I can do to get this working, perhaps with the 'Extended Query' value?

      ADDED:

      Forgot to mention, this is for 2.1.

      Chris

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Give this example a try:
        https://doc.pfsense.org/index.php/LDAP_Troubleshooting#Extended_Query

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          keylevel
          last edited by

          Thanks, that looks the same as something that resulted in me making some changes based on the post at http://forum.pfsense.org/index.php?topic=48961.0, so I've now got a 'memberOf' attribute for each user.

          
  Extended query          : memberOf=cn=AGroup,ou=Groups,dc=localdomain
  Group naming attribute  :  cn
  Group member attribute  :  memberOf

          This resulted in the auth passing only if the user is a member of the group, but the group name still doesn't get returned - it's simply being passed on the 'Extended query' finding a match. The means the user can login, but they get "No pages assigned".

          BTW, the name specified in the 'Group naming attribute' doesn't look like it's being used - I can set it to 'thiscanbeanything' and an auth test will pass. I've had a look at the code for ldap_get_groups() in auth.inc:

                  if(is_array($info[0][$ldapgroupattribute])) {
                /* Iterate through the groups and throw them into an array */
                foreach ($info[0][$ldapgroupattribute] as $member) {
                        if (stristr($member, "CN=") !== false) {
                                $membersplit = explode(",", $member);
                                $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);

          Should this be using the 'Group naming attribute' rather than being hard-coded to 'CN'?

          I've got a solution that I can usel. I've modified my LDAP directory (easy in this case as it's a new install  ;)) so that the users have a memberOf attribute which is built up automatically from the group objects (using the memberOf plugin within 389 Directory Server). That way I don't need the "Extended query" at all.

          Chris

          1 Reply Last reply Reply Quote 0
          • K
            keylevel
            last edited by

            I submitted a pull request a while back in this area (https://github.com/pfsense/pfsense/pull/36), but it looks a bit orphaned ;)

            Not quite the same, but this did make the auth work with nicely with openLDAP.

            Chris

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.