[solved] 'Trick' (patch) Captive Portal into using LDAP User backend



  • Update: Find solution in last message, join development on https://redmine.pfsense.org/issues/5112

    Hi,

    I need help patching our production appliance to lookup username and password in LDAP for CP authentication. I am willing to provide a leightweight PR afterwards, but do not have the knowledge nor the resources to go into "real development".

    The patch should be relatively simple at the end, in a hackish manner I assume we end up at 5 lines.

    All I need to know is how to access the correct authserver-config (there should be only one in my setup anyways) and what to pass in as "$attributes" (although this is not used anywhere down the path I think).

    The change should happen at https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L240 I guess.

    
    $authcfg = auth_get_authserver(????);
    $loginok = authenticate_user($_POST['auth_user'], $_POST['auth_pass'], $authcfg, $attributes);
    
    

    Two lines later, privilege checking is done, which for the LDAP setup would have to resolve the groupmemberships first (probably not a big deal), but this should be circumventable by adding the correct filter in the LDAP auth settings.

    This feature was also requested in https://forum.pfsense.org/index.php?topic=87869.0 and I created https://redmine.pfsense.org/issues/5112 .

    Any pointers really appreciated, as I said I do not have a proper testing setup and do not know PHP so I am scared of messing things up. I am happy to help.


  • LAYER 8 Netgate

    Might be easier to get a RADIUS server working against your LDAP back end then use the existing RADIUS login functionality of the captive portal code.

    Why reinvent the wheel?



  • @Derelict:

    Might be easier to get a RADIUS server working against your LDAP back end then use the existing RADIUS login functionality of the captive portal code.
    Why reinvent the wheel?

    Forgot to mention that in the original Post, thanks for bringing it up and the quick and valid response!! For me radius is not an option; it would be great not to dwelve into discussions about that but concentrate on the patch. Basically I do not want to maintain another (in my env) unecessary service; and my proposition its exactly about re-using the wheel, I think its really just a couple of lines of code ahead of us.



  • From https://redmine.pfsense.org/issues/5112 :

    With some help from PiBa-NL via IRC I can confirm that the hackish approach works fine.

    $authcfg = auth_get_authserver("YOUR LDAP BACKEND NAME");
    $_attributes = array();
    $loginok = authenticate_user($_POST['auth_user'], $_POST['auth_pass'], $authcfg, $_attributes);
    

    I then uncommented the privilege checking. I hope I find the time to layout changes in a github PR and would like some guidance on how the new configuration options should be structured. It can get complicated if one wishes, but there I will not help much.


    I thus consider this thread to be closed, but are happy to find collaborators for a github PR (join me on https://redmine.pfsense.org/issues/5112 ). Thanks.


Log in to reply