Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP Extended Query on v2.2 (SOLVED)

    Scheduled Pinned Locked Moved webGUI
    2 Posts 1 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shpokas
      last edited by

      Hi there,
      I am trying to authenticate OpenVPN users against FreeIPA LDAP server, using extended query.
      "Simple" LDAP authentication works OK, but no success with extended query, using group membership.

      ldapsearch command on another host with the same bind credentials works ok, and for user "test" returns string
      …
      memberOf: cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com
      ...

      I use this same string in extended query:
      memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com

      Group member attribute in LDAP server configuration page is set to "memberOf".

      Yet I cannot authenticate and in pfSense OpenVPN log I see:
      openvpn[79060]: xx.xx.xx.xx:38217 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
      openvpn: user 'test' could not authenticate.
      openvpn: /openvpn.auth-user.php: ERROR! Either LDAP search failed, or multiple users were found.

      I have seen in forum that some people have successfully configured extended query against Active Directory, but using pfSense v2.1
      Is there any change for v2.2 perhaps?

      Any clue what could be wrong in this setup?
      Thanks in advance.

      EDIT:
      I looked into FreeIPA LDAP logs and for successful authentication (no extended query)

      conn=2919 TLS1.2 128-bit AES-GCM
      conn=2919 op=0 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" method=128 version=3
      conn=2919 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com"
      conn=2919 op=1 SRCH base="cn=users,cn=compat,dc=company,dc=com" scope=2 filter="(uid=test)" attrs=ALL
      conn=2919 op=1 RESULT err=0 tag=101 nentries=1 etime=0

      conn=2919 op=2 BIND dn="uid=test,cn=users,cn=compat,dc=company,dc=com" method=128 version=3
      conn=2919 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test,cn=users,cn=accounts,dc=company,dc=com"

      conn=2919 op=3 UNBIND
      conn=2919 op=3 fd=110 closed - U1

      for unsuccessful (with extended query)

      conn=2924 TLS1.2 128-bit AES-GCM
      conn=2924 op=0 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" method=128 version=3
      conn=2924 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com"
      conn=2924 op=1 SRCH base="cn=users,cn=compat,dc=company,dc=com" scope=2 filter="(&(uid=test)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com))" attrs=ALL
      conn=2924 op=1 RESULT err=0 tag=101 nentries=0 etime=0

      conn=2924 op=2 UNBIND
      conn=2924 op=2 fd=110 closed - U1

      Looks like in the later case search result is NOT OK and BIND is not performed.
      But if I do exactly the same search from another host, I get search result.

      [test ~]$ ldapsearch  -w ******** -h ldap.company.com -D "uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" "(&(uid=test)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com))" attrs=ALL

      extended LDIF

      LDAPv3

      base <dc=company,dc=com>(default) with scope subtree

      filter: (&(uid=test)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com))

      requesting: attrs=ALL

      test, users, accounts, company.com

      dn: uid=test,cn=users,cn=accounts,dc=company,dc=com

      search result

      search: 2
      result: 0 Success

      numResponses: 2

      # numEntries: 1

      Why do I see difference in search results (value of nentries differs) if search is performed from pfSense of from another host?</dc=company,dc=com>

      1 Reply Last reply Reply Quote 0
      • S
        shpokas
        last edited by

        The problem was search scope base DN. They are different for pfSense query and ldapsearch command, as it can be seen above.
        The solution is to remove "cn=users,cn=compat" part from base DN and leave only "dc=company,dc=com".

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.