Project

General

Profile

Actions

Feature #1009

closed

Active Directory group membership checking

Added by Eric Machabert about 14 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Low
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
11/13/2010
Due date:
% Done:

90%

Estimated time:
Plus Target Version:
Release Notes:

Description

Hi,

This is the auth.inc I have modified to handle AD group membership checking.

It does not support nested groups. Work on that point could be done but it would generate intensive ldap trafic between pfsense and directory server.


Files

auth.inc (38.7 KB) auth.inc Eric Machabert, 11/13/2010 07:58 AM
auth.inc (38.9 KB) auth.inc Included logic to query for extended parameters Query: (&(_ORIGINAL_)(New)) Andy I., 08/27/2011 04:38 AM
system_authservers.php (29.8 KB) system_authservers.php Included logic for the optional additional configuration right under authentication containers Andy I., 08/27/2011 04:38 AM
auth.inc-2.1-BETA0 2012-9-2 ADgroup authentication works (44.7 KB) auth.inc-2.1-BETA0 2012-9-2 ADgroup authentication works Pi Ba, 09/05/2012 06:36 PM
Actions #1

Updated by vito B about 14 years ago

i have been using this patch.
have not seen any issues so far.

Actions #2

Updated by Scott Ullrich about 14 years ago

  • Status changed from New to Feedback
Actions #3

Updated by Scott Ullrich about 14 years ago

  • Status changed from Feedback to New
  • Target version changed from 2.0 to 2.1

We need a patch of changes here. auth.inc has diverged too much at this point. And even then Ermal does not agree with parts of this patch so tagging 2.1.

Actions #4

Updated by Jim Pingle about 14 years ago

  • Assignee deleted (Jim Pingle)
Actions #5

Updated by Andy I. over 13 years ago

New version for auth.inc and system_authservers.php to allow for an extended LDAP query (Groups or otherwise)

Actions #6

Updated by jpoa poa over 12 years ago

Greetings!

I was able to use Eric's patch on 2.0.1 (amd64) but Andy's patch was not reading the groups.

Rather then saying one is flawed, I'm suggesting something might have gotten broken. I haven't done heavy testing due to time constraints, just wanted to give a heads up regarding this.

Actions #7

Updated by Pi Ba over 12 years ago

Hi,
ive made a new auth.inc that works for me on "2.1-BETA0 (i386) built on Sun Sep 2 18:21:50 EDT 2012 " based on some basic changes made already by the Eric and Andy.

What works:
-i can check/authenticate if a user is a member of a group (PermissionGroup in below example).
Settings used:
PeerCertificate:chosen CA cert of the Windows 2008 R2 domain controller.
SearchScope: Entire Subtree.
Base DN: DC=myDomain,DC=local
Containers: CN=PermissionGroup,OU=SubGroup,OU=myOU,DC=myDomain,DC=local
Bind credentials UserDN and Password of a valid AD user.
attributes: samAccountName/cn/memberOf

While type and a little more searching it seams its already possible to authenticate groups?!:
The extended configuration setting seams a little strange "memberOf=CN=GroupName,....", but other than that it works already as described best by the screenshot of 'kestral' in [http://forum.pfsense.org/index.php?topic=48961.0]

Im not sure if this would mean this issue can already be closed.?..
Anyway thanks for implementing these changes. Why is it on 90% done.? As it seams to work OK :).

Actions #8

Updated by Renato Botelho almost 12 years ago

  • Status changed from New to Feedback

Could you please send it in diff format or submit a Pull Request at github? It's hard to track exactly what changes you did since the file was changed on last months.

Actions #9

Updated by Chris Buechler over 11 years ago

  • Target version deleted (2.1)
  • Affected Version deleted (2.0)
Actions #10

Updated by George C over 11 years ago

Pi Ba wrote:

...

Im not sure if this would mean this issue can already be closed.?..
Anyway thanks for implementing these changes. Why is it on 90% done.? As it seams to work OK :).

Although this patch DOES work for the A.D. side, it BREAKS ldap auth for other ldap backends (namely OSX 10.8 Open Directory, which works fine otherwise).

Actions #11

Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF