Author Topic: User removed from group after LDAP login (Read 4169 times)

opn_support · « **on:** July 05, 2021, 09:12:52 pm »

I'm trying to login with an LDAP user but every time I want to login the user is removed from the admin group.

I first add the ldap user to see "memberof_group"
Then I try to login with the ldap username and password, when I press login everything is cleared and I don't see an error message "login_no"error"
When I check ldap user it's removed from the group see "removed_from_group"

When I put the user back in the group and try to login with a wrong password I get an expected login error "login_error" and the user isn't removed from the group.

Looks like there is some bug or configuration error that removes my ldap user from the group if I try to login, how-to solve this?

mimugmail · « **Reply #1 on:** July 06, 2021, 07:24:34 am »

You have sync groups in LDAP config enabled but the group names differ

Fright · « **Reply #2 on:** July 06, 2021, 10:04:54 am »

in addition to what @mimugmail said: you can see the "User: policy change for * unlink group *" string in log

opn_support · « **Reply #3 on:** July 07, 2021, 09:19:54 pm »

Looks like creating a group with the same name as the AD group and then manually adding the user to that group fixes the problem.

I would expect that the AD group is synced automatically with the internal group, do I really need to manually add al users again?

Fright · « **Reply #4 on:** July 07, 2021, 09:36:48 pm »

do I really need to manually add al users again?
no. user will be added to that group on next logon

opn_support · « **Reply #5 on:** July 07, 2021, 11:57:49 pm »

For some reason the sync is not functioning, only when I add them manually.

Fright · « **Reply #6 on:** July 08, 2021, 03:17:09 pm »

please clarify: that is, when you add a user to the ldap group with the same name as the local group (and after replication, if necessary), the user is not automatically added to the corresponding local group when entering the gui? but (at the same time) after manually adding to the local group and entering the gui, it is not removed from this group?

opn_support · « **Reply #7 on:** July 29, 2021, 12:22:31 am »

Yes correct, looks like the sync between the AD and OPNSense groups is not functioning, but the test went fine.

(FYI currently I'm running version 21.7, same behavior, but I cannot update the post ;-))

Fright · « **Reply #8 on:** July 29, 2021, 06:48:44 pm »

Hm..any chance that "Limit groups" in ldap server settings is not empty and not includes sg-vpnusers?

opn_support · « **Reply #9 on:** August 02, 2021, 07:54:47 pm »

Hello,

Limit groups has the value "Nothing selected", so as far as i know all groups are allowed.

Fright · « **Reply #10 on:** August 06, 2021, 05:00:55 pm »

sorry then. can't help
I see no reason for this behavior in the code and cannot reproduce on my machines (

Author Topic: User removed from group after LDAP login (Read 4169 times)

opn_support

User removed from group after LDAP login

mimugmail

Re: User removed from group after LDAP login

Fright

Re: User removed from group after LDAP login

opn_support

Re: User removed from group after LDAP login

Fright

Re: User removed from group after LDAP login

opn_support

Re: User removed from group after LDAP login

Fright

Re: User removed from group after LDAP login

opn_support

Re: User removed from group after LDAP login

Fright

Re: User removed from group after LDAP login

opn_support

Re: User removed from group after LDAP login

Fright

Re: User removed from group after LDAP login