Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: opn_support on July 05, 2021, 09:12:52 PM

Title: User removed from group after LDAP login
Post by: opn_support on July 05, 2021, 09:12:52 PM
I'm trying to login with an LDAP user but every time I want to login the user is removed from the admin group.

I first add the ldap user to see "memberof_group"
Then I try to login with the ldap username and password, when I press login everything is cleared and I don't see an error message "login_no"error"
When I check ldap user it's removed from the group see "removed_from_group"

When I put the user back in the group and try to login with a wrong password I get an expected login error "login_error" and the user isn't removed from the group.

Looks like there is some bug or configuration error that removes my ldap user from the group if I try to login, how-to solve this?
Title: Re: User removed from group after LDAP login
Post by: mimugmail on July 06, 2021, 07:24:34 AM
You have sync groups in LDAP config enabled but the group names differ
Title: Re: User removed from group after LDAP login
Post by: Fright on July 06, 2021, 10:04:54 AM
in addition to what @mimugmail said: you can see the "User: policy change for * unlink group *" string in log
Title: Re: User removed from group after LDAP login
Post by: opn_support on July 07, 2021, 09:19:54 PM
Looks like creating a group with the same name as the AD group and then manually adding the user to that group fixes the problem.

I would expect that the AD group is synced automatically with the internal group, do I really need to manually add al users again?

Title: Re: User removed from group after LDAP login
Post by: Fright on July 07, 2021, 09:36:48 PM
do I really need to manually add al users again?
no. user will be added to that group on next logon
Title: Re: User removed from group after LDAP login
Post by: opn_support on July 07, 2021, 11:57:49 PM
For some reason the sync is not functioning, only when I add them manually.
Title: Re: User removed from group after LDAP login
Post by: Fright on July 08, 2021, 03:17:09 PM
please clarify: that is, when you add a user to the ldap group with the same name as the local group (and after replication, if necessary), the user is not automatically added to the corresponding local group when entering the gui? but (at the same time) after manually adding to the local group and entering the gui, it is not removed from this group?
Title: Re: User removed from group after LDAP login
Post by: opn_support on July 29, 2021, 12:22:31 AM
Yes correct, looks like the sync between the AD and OPNSense groups is not functioning, but the test went fine.

(FYI currently I'm running version 21.7, same behavior, but I cannot update the post ;-))
Title: Re: User removed from group after LDAP login
Post by: Fright on July 29, 2021, 06:48:44 PM
Hm..any chance that "Limit groups" in ldap server settings is not empty and not includes sg-vpnusers?
Title: Re: User removed from group after LDAP login
Post by: opn_support on August 02, 2021, 07:54:47 PM
Hello,

Limit groups has the value "Nothing selected", so as far as i know all groups are allowed.
Title: Re: User removed from group after LDAP login
Post by: Fright on August 06, 2021, 05:00:55 PM
sorry then. can't help
I see no reason for this behavior in the code and cannot reproduce on my machines (
Text only | Text with Images