Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
BUG? - Users don't get any group membership when using openLDAP + memberOf
« previous
next »
Print
Pages: [
1
]
Author
Topic: BUG? - Users don't get any group membership when using openLDAP + memberOf (Read 3594 times)
wipajiwak
Newbie
Posts: 2
Karma: 0
BUG? - Users don't get any group membership when using openLDAP + memberOf
«
on:
May 14, 2018, 11:47:47 am »
Hi everyone,
We're using 18.1.7 in a production environment and we're trying to make it work with our current openLDAP deployment (which works fine with many other software appliances).
Port: 636
Transport: SSL - Encrypted
Protocol version: 3
Search scope: Entire subtree
Authentication containers: ou=Users,dc=redacted,dc=redacted
Extended query: <empty>
User Naming Attribute: uid
Authentication works, since I can see the user binding, but it's not getting group membership correctly.
I have a group called fw-admins on both opnSense and openLDAP, with a few users inside. The member list is correctly obtained by Atlassian Crowd, so I guess we can safely assume there's nothing wrong with the group itself.
I can't find any option to enable LDAP debugging in opnSense. I suspect there's something wrong with the Group membership attribute, but it seems like there's no option provided to supply a custom value for it.
Any help please?
Thanks!
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: BUG? - Users don't get any group membership when using openLDAP + memberOf
«
Reply #1 on:
May 14, 2018, 01:56:37 pm »
Shouldn't the extended query not something like (&memberof(fw-admins))?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
wipajiwak
Newbie
Posts: 2
Karma: 0
Re: BUG? - Users don't get any group membership when using openLDAP + memberOf
«
Reply #2 on:
May 14, 2018, 02:29:45 pm »
Quote from: mimugmail on May 14, 2018, 01:56:37 pm
Shouldn't the extended query not something like (&memberof(fw-admins))?
Tried that as well, if I do it stops authenticating users altogether
In my case it would be: (memberOf=cn=fw-admins,ou=Groups,dc=redacted,dc=redacted)
It works in ApacheDS, though, so I assume the filter is written correctly (I use similar filters for other pieces of software and they work fine)
By the way in theory that should only filter out which users are available to opnSense, by leaving it empty I'll just allow it to use every user it can find laying around - the major issue here is that it's not getting group membership for users at all
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: BUG? - Users don't get any group membership when using openLDAP + memberOf
«
Reply #3 on:
May 14, 2018, 04:46:44 pm »
Have you tried plaintext and checked the Response with tcpdump?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
BUG? - Users don't get any group membership when using openLDAP + memberOf