Any further docs on LDAP/group authentication? (also memberOf/memberUid and PAM)

[nxg]

Greetings.

The docs at https://docs.opnsense.org/manual/how-tos/user-ldap.html outline setting up LDAP-based authentication.  I can authenticate a user against my LDAP server, but I can't work out how to restrict this to users in a particular group.

The almost-relevant docs there describe doing so using the memberOf attribute (on a posixAccount object; this is the RFC 2307bis schema), but my LDAP directory uses the RFC 2307 schema, where group membership is defined using the memberUid attribute on a posixGroup object.

The documentation on that page is a little brief, and to some extent focused on how to use the interface, rather than going any deeper.  So is there any other documentation I should be consulting, but which I haven't yet found?

Specifically, I'm trying to find answers to the following (question 3 might render the answers to Q1 and 2 redundant).

  (1) In Step 1, I find "The Extended Query can be used to select users who are member of a specific group " -- great, just what I want.  But in Step 1.1 (optional) the page first of all talks about _importing_ users rather than calling out to a directory (ie, a one-time operation), and then in a 'note' says "This feature needs the remote ldap server to respond with memberOf when queried"  It's not completely clear what 'this feature' is referring to -- does this mean that OPNsense will only work directly with an LDAP server which uses the RFC 2307bis schema? (it's possible to play tricks on the server to synthesise some attributes when necessary, but I'd rather not go down that path unless I absolutely have to).

  (2) What is the actual query that's sent to the LDAP server?  Looking at the help for 'Extended Query', it appears that it's something like &(<usernamingattribute>=<requestedusername>)(<extendedquery>)  Is that right?  I don't think there's any way I can craft an <extendedquery> that checks that &(objectclass=posixgroup)(memberuid=<requestedusername>) has a non-null response.

But...

  (3) I found https://docs.opnsense.org/development/components/authentication.html which suggests that the OPNsense authentication defers to the underlying PAM system as much as possible.  If I were to configure the PAM system as I do on other FreeBSD machines, which successfully calls out to the LDAP directory, would I be able to leave all of the OPNsense authentication settings at (effectively) 'local' and leave everything to PAM?  In other words, is there a 'just do what PAM says' configuration setting? (or is simply failing to configure an LDAP server effectively that?)  Myself, I'd be more comfortable managing this via the PAM configuration, than via the GUI, as long as that's not a deprecated procedure.

Please do point me towards any forum posts which touch on this.  On a brief search, the nearest I found was https://forum.opnsense.org/index.php?topic=12558.msg60555 which suggests that group tests might be dependent on RFC 2307bis memberOf

Thanks for any pointers.

Norman