LDAP Extended Query on v2.2 (SOLVED)

shpokas

Hi there,
I am trying to authenticate OpenVPN users against FreeIPA LDAP server, using extended query.
"Simple" LDAP authentication works OK, but no success with extended query, using group membership.

ldapsearch command on another host with the same bind credentials works ok, and for user "test" returns string
…
memberOf: cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com
...

I use this same string in extended query:
memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com

Group member attribute in LDAP server configuration page is set to "memberOf".

Yet I cannot authenticate and in pfSense OpenVPN log I see:
openvpn[79060]: xx.xx.xx.xx:38217 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
openvpn: user 'test' could not authenticate.
openvpn: /openvpn.auth-user.php: ERROR! Either LDAP search failed, or multiple users were found.

I have seen in forum that some people have successfully configured extended query against Active Directory, but using pfSense v2.1
Is there any change for v2.2 perhaps?

Any clue what could be wrong in this setup?
Thanks in advance.

EDIT:
I looked into FreeIPA LDAP logs and for successful authentication (no extended query)

conn=2919 TLS1.2 128-bit AES-GCM
conn=2919 op=0 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" method=128 version=3
conn=2919 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com"
conn=2919 op=1 SRCH base="cn=users,cn=compat,dc=company,dc=com" scope=2 filter="(uid=test)" attrs=ALL
conn=2919 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=2919 op=2 BIND dn="uid=test,cn=users,cn=compat,dc=company,dc=com" method=128 version=3
conn=2919 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test,cn=users,cn=accounts,dc=company,dc=com"
conn=2919 op=3 UNBIND
conn=2919 op=3 fd=110 closed - U1

for unsuccessful (with extended query)

conn=2924 TLS1.2 128-bit AES-GCM
conn=2924 op=0 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" method=128 version=3
conn=2924 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com"
conn=2924 op=1 SRCH base="cn=users,cn=compat,dc=company,dc=com" scope=2 filter="(&(uid=test)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com))" attrs=ALL
conn=2924 op=1 RESULT err=0 tag=101 nentries=0 etime=0
conn=2924 op=2 UNBIND
conn=2924 op=2 fd=110 closed - U1

Looks like in the later case search result is NOT OK and BIND is not performed.
But if I do exactly the same search from another host, I get search result.

[test ~]$ ldapsearch  -w ******** -h ldap.company.com -D "uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" "(&(uid=test)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com))" attrs=ALL

extended LDIF

LDAPv3

base <dc=company,dc=com>(default) with scope subtree

filter: (&(uid=test)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=company,dc=com))

requesting: attrs=ALL

test, users, accounts, company.com

dn: uid=test,cn=users,cn=accounts,dc=company,dc=com

search result

search: 2
result: 0 Success

numResponses: 2

# numEntries: 1

Why do I see difference in search results (value of nentries differs) if search is performed from pfSense of from another host?</dc=company,dc=com>

shpokas

The problem was search scope base DN. They are different for pfSense query and ldapsearch command, as it can be seen above.
The solution is to remove "cn=users,cn=compat" part from base DN and leave only "dc=company,dc=com".