Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
importing AD users cuts off the username
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: importing AD users cuts off the username (Read 4940 times)
Jhjacobs81
Newbie
Posts: 19
Karma: 0
importing AD users cuts off the username
«
on:
October 12, 2020, 11:03:46 am »
So, i have setup OPNSense to authenticate our IT staff against Active Directory. It works in so far that it does import the correct users. i set the "User naming attribute" to email, but when i log in it doesnt work.
When i use the tester and i input jhjacobs81@emailadress.com it validates.
When i login to the administration website it does not. i have to input jhjacobs81
i would want everyone to use their full emailadres, because we use that everywhere when we use SSO ;-) does anyone know how to fix this?
Logged
Cerberus
Jr. Member
Posts: 63
Karma: 4
Re: importing AD users cuts off the username
«
Reply #1 on:
December 30, 2020, 04:11:11 pm »
It looks like a bug to me. I tried it myself by using "userPrincipalName" as Usernaming attribute. On import it shows the users email address but on grouping it shows the sAMAccountName value.
Update: this only affect user login into opnsense and not using ldap as authentication source for ipsec/openvpn, these components respect "userPrincipalName".
«
Last Edit: December 30, 2020, 04:26:14 pm by Cerberus
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: importing AD users cuts off the username
«
Reply #2 on:
December 30, 2020, 06:56:48 pm »
Worth opening an issue in GitHub
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: importing AD users cuts off the username
«
Reply #3 on:
January 04, 2021, 11:41:31 am »
For reference, the maximum user name length in FreeBSD is 32. See
https://github.com/opnsense/core/commit/0829a34cef4
I will check the GUI login though...
Cheers,
Franco
«
Last Edit: January 04, 2021, 11:43:17 am by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: importing AD users cuts off the username
«
Reply #4 on:
January 04, 2021, 11:44:18 am »
PS: Did you set web GUI to local database? Probably only need to enable LDAP authentication for GUI as well (System: Settings: Administration).
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: importing AD users cuts off the username
«
Reply #5 on:
January 04, 2021, 02:47:13 pm »
@franco
it looks like the script cuts off the domain part before saving the account to config
(line 117:
https://github.com/opnsense/core/blob/master/src/www/system_usermanager_import_ldap.php
)
did not check how it will work if domain part is saved.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: importing AD users cuts off the username
«
Reply #6 on:
January 04, 2021, 02:50:40 pm »
Yes, to avoid tripping over the 32 character limit...
Cheers,
Franco
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: importing AD users cuts off the username
«
Reply #7 on:
January 04, 2021, 03:05:22 pm »
@franco,
got it, thanks
sorry, not topic-starter (and I don't think it's a good idea to use ldap for GUI-auth), but let me explain if I understand correctly:
everything works fine if its single domain network.
if there is a Active Directory forest with child domains, it is logical to use the Global Catalog and in this case authentication is working using the userPrincipalName attribute (which includes the domain part). It works well for OpenVPN etc. but not for GUI.
(and what's more, I don't see the user bind to the authentication server in config if multiple servers are configured)
(
https://forum.opnsense.org/index.php?topic=19078.0
)
«
Last Edit: January 04, 2021, 03:12:16 pm by Fright
»
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: importing AD users cuts off the username
«
Reply #8 on:
January 04, 2021, 03:12:57 pm »
Good point. The local import is not the best place to join multiple domains. It is more for flexibility in small use cases where you need it. Larger setups work fine with direct authentication against multiple LDAPs and there is probably also other equipment dealing with VPN etc. so that local import does not have to be a perceived bottleneck.
Cheers,
Franco
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: importing AD users cuts off the username
«
Reply #9 on:
January 04, 2021, 04:13:11 pm »
could you give more information about "Larger setups work fine with direct authentication against multiple LDAPs " please? i think i don't understand what you mean
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: importing AD users cuts off the username
«
Reply #10 on:
January 04, 2021, 04:33:21 pm »
If you set the web GUI to authenticate against LDAP (not only Local Database) you don't have to import from LDAP and authenticating with email works fine.
Cheers,
Franco
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: importing AD users cuts off the username
«
Reply #11 on:
January 04, 2021, 05:04:32 pm »
wow! forgot about this. will test, thanks! (group matching did not work when I checked it at the very beginning on 19.7. I will dig deeper)
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: importing AD users cuts off the username
«
Reply #12 on:
January 04, 2021, 06:44:47 pm »
@franco
I tested and it looks like the import of the user is still necessary (without this authentication works, but there is no authorization: "No page assigned to this user! Click here to logout")
it is not necessary to include the user in the authorization groups (groups are synchronized via LDAP after login), but the user
must
be imported ..
sad (it would be great if imports were not required at all.On the other hand, it is dangerous with an accidental vulnerability when the OPN group accidentally coincides with the LDAP group)
«
Last Edit: January 04, 2021, 07:08:41 pm by Fright
»
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: importing AD users cuts off the username
«
Reply #13 on:
January 04, 2021, 07:36:57 pm »
Ok, but login works
That's indeed an issue that prevents designated use. We added email address field a while back and one could use this to authenticate as well but the problem is there was no structural enforcement to email address. It could still be done but we have to prevent login for ambiguous address (given more than once) and properly import the email...
Same accounts for different domains will still clash, but I would rather see this out of scope than trying to address this as well (the UNIX model does not fit here and overlapping user aliases across domains are probably the same person anyway).
Cheers,
Franco
«
Last Edit: January 04, 2021, 08:09:24 pm by franco
»
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: importing AD users cuts off the username
«
Reply #14 on:
January 04, 2021, 08:02:18 pm »
yes, authentication works )
but GUI still not working without authorization
it seems to me that the mention of the email is somewhat confusing. it's not necessarily about email, but about the used ldap attribute. it may not be samaccountname or email. as i mentioned when using AD GC the userPrincipalName attribute is used (just to prevent overlapping usernames in different domains. userPrincipalName include @domainpart and may or may not coincide with the email).
the idea of authorization without importing a user seems very interesting to me for this.
I don't know if I can find this part of the code (authgui.inc ?) and test this possibility
(another possibility is not to sanitize the username on ldap-import? since imported ldap user have <user_dn> parameter in config, it can be skipped when user checked against local db?)
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
importing AD users cuts off the username