OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Douglas Fischer on July 21, 2017, 10:17:53 pm

Title: Access Servers - Groups Scope Remote
Post by: Douglas Fischer on July 21, 2017, 10:17:53 pm

I have a LDAP(Active directory) and Radius(NPS) configured on my OPNsense 17.1.10-amd64.

On System -> Access -> Tester i receive an "authenticated sucessfully".
But I don't receive any groups on any test, Radius and LDAP.

- I have a group on AD and I'm on it
- I have a group configured on OPNSense configured with the exactly same name of ActiveDirectory Group.
- On Radius(NPS) I added the "Class" attribute to be delivered on the police matching with my group, and the string is exactly the same of the group name on OPNSense.
- I Tried tests using "administrator" of my domain on DN of LDAP server configuration...

Looks like OPN System is ignoring the groups that Radius and LDAP are telling him.
The behavior is the same 

For the records:
I'm doing some efforts to migrate from PFSense to OPNSense on several sites.
So I have two VMs to do the comparison "PF vs OPN", and any thing that is needed is equivalent to both servers.

And the Groups are working as expected on PFsense.

Any Suggestions?

Title: Re: Access Servers - Groups Scope Remote
Post by: Douglas Fischer on July 21, 2017, 10:28:44 pm

TestAuthentication_OPNSense-noGroup
https://imagebin.ca/v/3UAhOMFK9pJP
(https://ibin.co/3UAhOMFK9pJP.png)

TestAuthentication_PFSense-WithGroup
https://imagebin.ca/v/3UAhsKZHAdPD
(https://ibin.co/3UAhsKZHAdPD.png)

Title: Re: Access Servers - Groups Scope Remote
Post by: AdSchellevis on July 22, 2017, 10:24:05 am

Hi Douglas,

We don't query the ldap for groups during our authentication process, to avoid cluttering of the authentication/authorisation code.
At the moment you need to assign the groups manually in OPNsense (or use extended queries if you just want to provide access to a certain ldap group).

To implement ldap groups, there should be a periodic synchronisation to link the groups, so the auth system can use it's own administration again. It's not planned at the moment, maybe later.

Best regards,

Ad

Title: Re: Access Servers - Groups Scope Remote
Post by: Douglas Fischer on July 24, 2017, 09:08:34 pm

I completely understand the concern about cluttering!
My environment has more than 20K users and 7K groups...

I don't know the right place to do a suggestion, but here goes:

If the Auth-Feature would do queries of groups on any request of resources of OPNSense, it could create a cluttering no AD servers.
But if it does a second query for each specific resource, only if applicable(depending on resource), It wouldn't overload the resources.