[Solved] Authenticating against QNAP LDAP server



  • I've been trying endlessly to configure the Authentication Server but I can't get it to work. Used to Authenticate against a MS AD, but now trying to get it to work with the LDAP server on my QNAP NAS.

    What I did: Created group 'testgroup' and added new user 'test'. On pfSense I created the (local) group with the same name and for easy testing assigned all privileges. I've included the screenshot from the LDAP Admin browsing the QNAP and pfSense setup (only for view when logged in I notice).

    Now I've tried about any attribute setting I could find in this forum and what Google had to offer but nothing works. User gets Authenticated but no groups show. Kinda useless this way. Lots of howtos for MS AD and that worked fine. Is the QNAP included LDAP server useless or am I still doing something wrong?

    Regards










  • Perhaps because you didn't pay attention to the way group membership is managed in your LDAP server.
    Unfortunately, your screen copy doesn't show it.  :-\

    Basically, you have to know whether:

    • user's entry contains or not group membership information (I would say "à la Microsoft" with "IsMemberOf" attribute in user's entry containing pointer to group entry
    • group containing member attribute made of uid (basically, although is could be technically speaking something else)
    • group containing member attribute made of DN

    (look at difference between RFC2307 and 2307bis)



  • Solved it (with some help). Turns out I needed to check  RFC2307 style group membership. I included a final screenshot with the working settings.




  • Trying the same setup with OS X Open Directory (El Capitan).

    It authenticates users but shows no groups.

    Any thoughts?



  • Difficult to comment further without additional information in term of:

    • configuration client side
    • DIT and schema LDAP server side


  • Hi Folks,
    I am currently working with the same problem on pfsense 2.3.4 connecting with openLDAP with rfc 2307 scheme.
    Looks like I have used correct settings, I have attached my screenshot. But users get access any way if user present in group as memberUid or not. From pcap it is clear that LDAP returns for group parsing that found 0 matches. But user could get access to openVPN.



    OpenLDAP.pcapng