LDAP authentication doesn't work?

peske · May 7, 2016, 8:58 PM

First to tell that I've spent a lot of time searching for the solution on your forum and Internet, but no luck…

I'm using PfSense 2.2.6 RELEASE. I've setup LDAP authentication (talking to Windows AD), and I'm using it successfully for OpenVPN server authentication. But no matter what I try I'm unable to use it for web configurator authentication. With bad users I'm getting (of course) "wrong username / password" kind of message, but with valid domain accounts I'm constantly getting "201" page with message: "No page assigned to this user! Click here to logout."

In my original setup I've created groups in web configurator with the same name as AD groups, and assigned "WebCfg - All pages" and "User - System - SSH tunneling" privileges. When testing the authentication (Diagnostics -> Authentication), username/password is accepted, but "user is member of" list is empty (although in reality the user is valid member). I've thought that the problem is in pairing AD groups with PfSense groups, so I've spent a lot of time trying to resolve the issue (trying with all-lowercase groups, no-whitespaces groups, etc.) - no luck.

It is important to say that I've tested LDAP server with third-party LDAP browser app, and everything works well. Domain controller returns all the groups the user is member of. Also I've double-checked all attributes (in LDAP Server Settings page), and all are correct.

Finally I've decided to go with workaround in which LDAP connection is limited to single group (by using "Extend Query"), and assigning mentioned permissions to "All users" PfSense group. (Yep, I know that this opens significant security hole, but...) Anyway, I've finally decided to do this and I've got - "No page assigned..." message again! I've even tried with rebooting the appliance - no luck.

So is there any advice regarding this? Am I missing something? Can anyone confirm that LDAP authentication actually works?

Thanks!

Btw, few log lines that may be useful (these lines are repeated over and over):
php-fpm[245]: /index.php: User logged out for user 'Administrator' from: 10.1.1.2
php-fpm[245]: /index.php: ERROR! Either LDAP search failed, or multiple users were found.

peske · May 7, 2016, 9:31 PM

Some additional info:

Logs provided in the original post are misleading because I've found that the ERROR happens when I login with built-in account ("admin"). Of course LDAP search fails then.
Just tested and I've got the same exact problem with PfSense 2.3 also.

cmb · May 7, 2016, 10:34 PM

It works fine. You have to define a group in User Manager matching the AD group name with permissions as desired.

peske · May 8, 2016, 6:18 AM

Thanks for the answer, but pls see the question again. As you can see in my original question this was my original setup. I had "Gateway Admins" group in AD, and created the same in user manager, in PfSense. Permissions were assigned properly.

But aside that, can you please tell me how "no page…" can happen when I've assigned privileges to "All users"??

jswope · May 8, 2016, 8:11 PM

use this guide

https://forum.pfsense.org/index.php?topic=44689.0

It works 100% for user auth.

Create a group in AD like pfsense admins and add the user you are using for the pfsense AD auth in that group.

If you still have issues msg me and I we can do a remote session or phone call.

peske · May 9, 2016, 6:29 PM

@jswope - THANK YOU!

It helped! Just as info for other users that may experience some problems - in my case the problem was in "Search scope - Level". With "One Level" selected it does not work, but when I've changed it (thanks to jswope) to "Entire Subtree" - everything worked well.

Btw, one more question for you jswope: In the page you've referenced a bunch of permissions is assigned to the group, and "WebCfg - All Pages" among others. Isn't this redundant? I've thought that "WebCfg - All Pages" covers everything (default "admin" user has only this permission assigned).

Thanks man!

jswope · May 10, 2016, 1:17 AM

Assign the permissons that you want that user to have

ex.

IT dept All pages

IT intern only IP Sec page

jswope · May 10, 2016, 1:19 AM

@peske:

@jswope - THANK YOU!

It helped! Just as info for other users that may experience some problems - in my case the problem was in "Search scope - Level". With "One Level" selected it does not work, but when I've changed it (thanks to jswope) to "Entire Subtree" - everything worked well.

Btw, one more question for you jswope: In the page you've referenced a bunch of permissions is assigned to the group, and "WebCfg - All Pages" among others. Isn't this redundant? I've thought that "WebCfg - All Pages" covers everything (default "admin" user has only this permission assigned).

Thanks man!

You are correct. All Pages is All pages in pfsense GUI