LDAP Admin account gives "No page assigned to this user! Click here to logout."



  • Hi,

    New here, but searched the forums and couldn't find anything definitive. Really hope this hasn't been answered countless times before :-)

    I have established a connection to our Active Directory. I have switched User Manager -> Settings -> Authentication Server to my LDAP server. I have created a local account with the same name as my LDAP account and made the local account a member of the local admin group.

    When I login, I get "No page assigned to this user! Click here to logout.".

    Gleaming similar threads I find some talk of creating local groups corresponding to AD groups. What groups are these?



  • I solved it and will put the solution here for other people having the same problem and finding this thread.

    If you want to authenticate logins to the web interface via LDAP (from a Microsoft Active Directory), you need to make LDAP authentication work first - i.e. you need to create an LDAP server and test it under diagnostics -> authentication. "The Definitive Guide" has an excellent chapter on this but for this caveat: If you want to use the "Extended Query" feature to limit logins to a specific group, it has to be written like this:

    memberOf=CN=pfSense_admins,OU=Service-Groups,DC=example,DC=com
    

    The crucial part being the first "memberOf=" which is not documented in The Definitive Guide.

    As can probably be determined from above extended query, there is an AD group called "pfsense_admins" of which the user has to be member to be able to authenticate to the pfSense firewall. Gotten this far, you can authenticate via Diagnostics -> Authentication, but trying to login to the firewall will give you the dreaded "No page assigned to this user!" error message.

    You need to create a local group on pfSense and assign local permissions for this to work. The group has to correspond exactly in name to a group in the AD of which the user is a member. It can be any group, but for clarity I recommend using the same group you used in the "extended query" part of the authentication configuration. In this case "pfSense_admins". That group needs the permission "WebCfg - All pages". If you go to diagnostics -> authentication and try to login again, you should see this message:

    
    User: joe-admin authenticated successfully.
    This user is a member of these groups: 
    pfSense_admins
    
    

    Now you can authenticate to the web interface with your AD account.

    Lars



  • You need to create a local group on pfSense and assign local permissions for this to work. The group has to correspond exactly in name to a group in the AD of which the user is a member. It can be any group, but for clarity I recommend using the same group you used in the "extended query" part of the authentication configuration. In this case "pfSense_admins". That group needs the permission "WebCfg - All pages". If you go to diagnostics -> authentication and try to login again, you should see this message:

    Hello! I did exactly that you wrote,

    memberOf=CN=pfadm,CN=Users,DC=local,DC=pub
    ```, and created local group, named pfadm, and assign permissions. For some reason it couldn't catch them. Then i try to login in diagnostics, it works, but permissions does not allowing. As before i see:
    

    User: domainadm authenticated successfully.
    This user is a member of these groups:

    
    updated:
    I changed in authentication server settings:
    Search scope Level: from "one level" to "entire subtree", now it works!


  • Hi,

    I had the same problem with AD authenticated users on version 2.3.2
    There's an option you have to tick off : "RFC2307 groups" checkbox has to be unchecked

    now it works!


Locked