OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • BUG? - Users don't get any group membership when using openLDAP + memberOf
« previous next »
  • Print
Pages: [1]

Author Topic: BUG? - Users don't get any group membership when using openLDAP + memberOf  (Read 2056 times)

wipajiwak

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
BUG? - Users don't get any group membership when using openLDAP + memberOf
« on: May 14, 2018, 11:47:47 am »
Hi everyone,

We're using 18.1.7 in a production environment and we're trying to make it work with our current openLDAP deployment (which works fine with many other software appliances).

Port: 636
Transport: SSL - Encrypted
Protocol version: 3
Search scope: Entire subtree
Authentication containers: ou=Users,dc=redacted,dc=redacted
Extended query: <empty>
User Naming Attribute: uid

Authentication works, since I can see the user binding, but it's not getting group membership correctly.

I have a group called fw-admins on both opnSense and openLDAP, with a few users inside. The member list is correctly obtained by Atlassian Crowd, so I guess we can safely assume there's nothing wrong with the group itself.

I can't find any option to enable LDAP debugging in opnSense. I suspect there's something wrong with the Group membership attribute, but it seems like there's no option provided to supply a custom value for it.

Any help please?

Thanks!
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6299
  • Karma: 434
    • View Profile
Re: BUG? - Users don't get any group membership when using openLDAP + memberOf
« Reply #1 on: May 14, 2018, 01:56:37 pm »
Shouldn't the extended query not something like (&memberof(fw-admins))?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

wipajiwak

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: BUG? - Users don't get any group membership when using openLDAP + memberOf
« Reply #2 on: May 14, 2018, 02:29:45 pm »
Quote from: mimugmail on May 14, 2018, 01:56:37 pm
Shouldn't the extended query not something like (&memberof(fw-admins))?
Tried that as well, if I do it stops authenticating users altogether :(
In my case it would be: (memberOf=cn=fw-admins,ou=Groups,dc=redacted,dc=redacted)

It works in ApacheDS, though, so I assume the filter is written correctly (I use similar filters for other pieces of software and they work fine)

By the way in theory that should only filter out which users are available to opnSense, by leaving it empty I'll just allow it to use every user it can find laying around - the major issue here is that it's not getting group membership for users at all  :-\
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6299
  • Karma: 434
    • View Profile
Re: BUG? - Users don't get any group membership when using openLDAP + memberOf
« Reply #3 on: May 14, 2018, 04:46:44 pm »
Have you tried plaintext and checked the Response with tcpdump?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • BUG? - Users don't get any group membership when using openLDAP + memberOf
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2