BUG? - Users don't get any group membership when using openLDAP + memberOf

[wipajiwak]

Hi everyone,

We're using 18.1.7 in a production environment and we're trying to make it work with our current openLDAP deployment (which works fine with many other software appliances).

Port: 636
Transport: SSL - Encrypted
Protocol version: 3
Search scope: Entire subtree
Authentication containers: ou=Users,dc=redacted,dc=redacted
Extended query: <empty>
User Naming Attribute: uid

Authentication works, since I can see the user binding, but it's not getting group membership correctly.

I have a group called fw-admins on both opnSense and openLDAP, with a few users inside. The member list is correctly obtained by Atlassian Crowd, so I guess we can safely assume there's nothing wrong with the group itself.

I can't find any option to enable LDAP debugging in opnSense. I suspect there's something wrong with the Group membership attribute, but it seems like there's no option provided to supply a custom value for it.

Any help please?

Thanks!

[mimugmail]

Shouldn't the extended query not something like (&memberof(fw-admins))?

[wipajiwak]

Shouldn't the extended query not something like (&memberof(fw-admins))?

Tried that as well, if I do it stops authenticating users altogether :(
In my case it would be: (memberOf=cn=fw-admins,ou=Groups,dc=redacted,dc=redacted)

It works in ApacheDS, though, so I assume the filter is written correctly (I use similar filters for other pieces of software and they work fine)

By the way in theory that should only filter out which users are available to opnSense, by leaving it empty I'll just allow it to use every user it can find laying around - the major issue here is that it's not getting group membership for users at all  :-\

[mimugmail]

Have you tried plaintext and checked the Response with tcpdump?