LDAP MemberOf issue (v2.1.5)



  • Hi all,

    I'm running into a problem that I've never seen before with pfSense. A month or so ago I set up a new firewall at a location, and the intent was to get them going on a RoadWarrior IPSec+XAuth configuration with AD being used as the directory in the back end via LDAP. I use Shrewsoft VPN Client and I've gotten pretty good at doing these and getting them to work reliably, until this one.

    The firewall is a physical server running pfSense 2.1.5 x64. The specific hardware is a Dell PowerEdge R210 with (2) 120 GB solid state drives and 8 GB of RAM.

    The issue: The only user that can successfully VPN in is Administrator.

    What I've done to troubleshoot the problem:

    • I've verified that all of my LDAP pathways are correct.

    • I've verified that the bind username and password is a working account with no administrative privileges, ie: It's a domain user account dedicated to this purpose.

    • Under System > User Manager > Groups I have created a VPN Users group. There are no members, but the privileges are set to allow the following: User - VPN - IPsec xauth Dialin, User - VPN - L2TP Dialin, User - VPN - PPPOE Dialin, and User - VPN - PPTP Dialin.

    • I can go to Diagnostics -> Authentication and authenticate as Administrator. It returns that "User: administrator authenticated successfully. This user is a member of these groups: VPN Users"

    • Under System > User Manager > Servers > ServerName > In the Authentication containers section, I can Select OUs from Active Directory. (Thus my base DN and bind user works).

    • If I try any other user with the Extended Query MemberOf statement in place, I get an "Authentication Failed" from Diagnostics > Authentication.

    • If I remove the Extended Query/MemberOf statement, for Administrator I get the following: "User: Administrator authenticated successfully. This user is a member of these groups: VPN Users", but for username I get this: "User: username authenticated successfully. This user is a member of these groups:" but that user is a member of the "VPN Users" group in active directory and has been for days.

    • I installed the System Patches Package, added the LDAP Debug option, and captured the attached log files.

    Can anyone see a problem that I'm missing?

    I'm hesitant to upgrade to v2.2.x because we ran into problems with RoadWarrior VPN configurations with this version in the past. 2.1.5 was the latest stable one that seemed to work for us.

    Thanks in advance!
    ldap_as_administrator.txt
    ldap_as_brian.txt



  • As usual, I just needed to type out a forum post to solve my own problem. Here's the solution:

    If you are running Windows Server 2012 (and possibly Windows Server 2008) with Active Directory, your bind user MUST be a member of at least the Domain Admins group. If it is not, then it will not be able to access any of the groups a person is a member of.

    So now we all know.



  • @anomaly0617:

    If you are running Windows Server 2012 (and possibly Windows Server 2008) with Active Directory, your bind user MUST be a member of at least the Domain Admins group. If it is not, then it will not be able to access any of the groups a person is a member of.

    I have the same problem, but adding the bind user to the domain admins group did not make his "Router Admins" group membership visible to pfSense. The list of groups is still blank. Another thing that makes me wonder if this is true is the fact that I use the same bind user for the Azure sync client. It can see the groups just fine. There must be something else ….



  • @cdonner:

    I have the same problem, but adding the bind user to the domain admins group did not make his "Router Admins" group membership visible to pfSense. The list of groups is still blank. Another thing that makes me wonder if this is true is the fact that I use the same bind user for the Azure sync client. It can see the groups just fine. There must be something else ….

    I also encountered this issue. I was able to resolve this by changing the Search scope - Level: value (Under System => User Manager => Servers => LDAP Server Settings => Edit or Create LDAP server) from "One Level" to "Entire Subtree".



  • @PJ2:

    I also encountered this issue. I was able to resolve this by changing the Search scope - Level: value (Under System => User Manager => Servers => LDAP Server Settings => Edit or Create LDAP server) from "One Level" to "Entire Subtree".

    Fantastic , thanks - you are my hero.
    For the record, I removed the Domain Admin group membership from the bind user account. It still works.


Log in to reply