Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Access Servers - Groups Scope Remote
« previous
next »
Print
Pages: [
1
]
Author
Topic: Access Servers - Groups Scope Remote (Read 5179 times)
Douglas Fischer
Newbie
Posts: 5
Karma: 0
Access Servers - Groups Scope Remote
«
on:
July 21, 2017, 10:17:53 pm »
I have a LDAP(Active directory) and Radius(NPS) configured on my OPNsense 17.1.10-amd64.
On System -> Access -> Tester i receive an "authenticated sucessfully".
But I don't receive any groups on any test, Radius and LDAP.
- I have a group on AD and I'm on it
- I have a group configured on OPNSense configured with the exactly same name of ActiveDirectory Group.
- On Radius(NPS) I added the "Class" attribute to be delivered on the police matching with my group, and the string is exactly the same of the group name on OPNSense.
- I Tried tests using "administrator" of my domain on DN of LDAP server configuration...
Looks like OPN System is ignoring the groups that Radius and LDAP are telling him.
The behavior is the same
For the records:
I'm doing some efforts to migrate from PFSense to OPNSense on several sites.
So I have two VMs to do the comparison "PF vs OPN", and any thing that is needed is equivalent to both servers.
And the Groups are working as expected on PFsense.
Any Suggestions?
Logged
Douglas Fischer
Newbie
Posts: 5
Karma: 0
Re: Access Servers - Groups Scope Remote
«
Reply #1 on:
July 21, 2017, 10:28:44 pm »
TestAuthentication_OPNSense-noGroup
https://imagebin.ca/v/3UAhOMFK9pJP
TestAuthentication_PFSense-WithGroup
https://imagebin.ca/v/3UAhsKZHAdPD
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Access Servers - Groups Scope Remote
«
Reply #2 on:
July 22, 2017, 10:24:05 am »
Hi Douglas,
We don't query the ldap for groups during our authentication process, to avoid cluttering of the authentication/authorisation code.
At the moment you need to assign the groups manually in OPNsense (or use extended queries if you just want to provide access to a certain ldap group).
To implement ldap groups, there should be a periodic synchronisation to link the groups, so the auth system can use it's own administration again. It's not planned at the moment, maybe later.
Best regards,
Ad
Logged
Douglas Fischer
Newbie
Posts: 5
Karma: 0
Re: Access Servers - Groups Scope Remote
«
Reply #3 on:
July 24, 2017, 09:08:34 pm »
I completely understand the concern about cluttering!
My environment has more than 20K users and 7K groups...
I don't know the right place to do a suggestion, but here goes:
If the Auth-Feature would do queries of groups on any request of resources of OPNSense, it could create a cluttering no AD servers.
But if it does a second query for each specific resource, only if applicable(depending on resource), It wouldn't overload the resources.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Access Servers - Groups Scope Remote