Feedback regarding LDAP Implementation

Started by kayson, October 20, 2021, 10:03:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 20, 2021, 10:03:26 PM
I've been using pfSense for a while and decided to check out OPNsense largely because of this issue, but also because I want to support the openness of OPNsense (hah!). So far most of the setup process has been painless, and there is a lot to love! LDAP, however, leaves a bit to be desired.

I'd like to demonstrate why by illustrating how easy and straightforward the setup is in pfSense:

  • Add LDAP Authentication Server
  • Add a Group with "Scope: Remote" whose name corresponds to an LDAP group (and you can have spaces!) and assign appropriate permissions
  • Configure administration acccess to use the LDAP server

That's it! There's no synchronization to the local database or user creation needed, nor should there be; LDAP should be the single source of truth for user information.

OPNSense's implementation is frustrating for a few reasons: group names can't have spaces, which means I have to not only change the group name in my directory, but also any other service that used that group for ACL (in my case, this was pfSense).

Synchronizing groups and importing users is clunky and unintuitive. It's also not consistent (importing via the users page shows the DN, but if you do automatic user creation, it does not). Finally, if a user is removed from LDAP, it is not removed from the synchronized local copy. The documentation notes that this feature is enabled in the business edition, but I'd point out that this is effectively how pfSense works in the community edition (no manual removal needed).

Setting it up was rather painful, and now I find myself considering sticking with pfSense, which has a broken DNS implementation, over using OPNsense.

The synchronization requirement (and group names not able to have spaces) suggests to me that LDAP is sort of an addon that creates local users/groups so it can leverage existing authentication code. I haven't had a chance to dig through the source yet, but I'm curious if there are any fundamental technical limitations that require the implementation to be this way. It would be fantastic if the support for LDAP were first class, meaning it does not have any dependence on local authentication, and does not require user creation or group synchronization.

If the team is interested in improving this, I'd be happy to contribute whether its the code itself, or if that's beyond my skills, sponsoring another developer to do so.
October 21, 2021, 06:48:26 AM #1
What when you want to use your group also for connecting OpenVPN, you cant create a certificate for export without a local user. Everyone has different needs, some would say a space in group name always produces errors.

Were you also on GitHub? There are some discussions about group sync right now
October 21, 2021, 06:59:59 AM #2
Quote from: mimugmail on October 21, 2021, 06:48:26 AM
What when you want to use your group also for connecting OpenVPN, you cant create a certificate for export without a local user. Everyone has different needs, some would say a space in group name always produces errors.

Were you also on GitHub? There are some discussions about group sync right now

I'm not familiar with the OpenVPN implementation, but there's no reason that certificate export limitations should prevent authentication and web gui access via LDAP directly, without requiring a local user copy. With respect to LDAP, there is no issues with spaces in a group name, so you could easily accommodate different requirements by using group scopes similar to pfSense.

I'm not suggesting that automatic import of users be removed, just that it not be required for authentication for LDAP.

Can you link me to the discussion on Github? I searched around but didn't find anything.
October 21, 2021, 08:01:58 AM #3
A bit older:
https://github.com/opnsense/core/issues/5116

I would suggest open a bug report for space in user group. Probably its just missing quotation or similar.

Then slowly start discussion about LDAP without group, I'm mit sure about the reason but usually there is one. And the facto that itcworks in pf might be because its badly integrated which is not accepted by devs here (maybe, just guessing)
October 21, 2021, 11:10:21 PM #4
AFAIK groups are synced to the local system and for that reason, they must comply with posix and FreeBSD requirements. If you would ask me it would be something quite new that whitespace characters would be allowed here.

@mimugmail have a look at the pw utility
October 22, 2021, 06:55:29 AM #5
Quote from: fabian on October 21, 2021, 11:10:21 PM
AFAIK groups are synced to the local system and for that reason, they must comply with posix and FreeBSD requirements. If you would ask me it would be something quite new that whitespace characters would be allowed here.

@mimugmail have a look at the pw utility

I think you're right. I recall seeing an old github issue where having a space in the group name would cause an error due to running a groupadd command.

What I'm thinking of proposing would be a totally separate construct, essentially just made to control permissions for LDAP users who don't have a local user copy.
October 22, 2021, 03:50:52 PM #6
Take a look at Ad's last comment here:

https://github.com/opnsense/core/issues/5295#issuecomment-948315582

There is a possibility that avoids dealing with the actual UNIX-based groups and their restrictions.


Cheers,
Franco
October 22, 2021, 08:16:46 PM #7
Thanks! Aliases would be interesting. I've also proposed another option that I think would be even better here: https://github.com/opnsense/core/issues/5303
Print
Go Up Pages1
User actions