Feature #1009
closed
Active Directory group membership checking
Added by Eric Machabert over 13 years ago. Updated about 8 years ago.
90%
Description
Hi,
This is the auth.inc I have modified to handle AD group membership checking.
It does not support nested groups. Work on that point could be done but it would generate intensive ldap trafic between pfsense and directory server.
Files
| auth.inc (38.7 KB) auth.inc | Eric Machabert, 11/13/2010 07:58 AM | ||
| auth.inc (38.9 KB) auth.inc | Included logic to query for extended parameters Query: (&(_ORIGINAL_)(New)) | Andy I., 08/27/2011 04:38 AM | |
| system_authservers.php (29.8 KB) system_authservers.php | Included logic for the optional additional configuration right under authentication containers | Andy I., 08/27/2011 04:38 AM | |
| auth.inc-2.1-BETA0 2012-9-2 ADgroup authentication works (44.7 KB) auth.inc-2.1-BETA0 2012-9-2 ADgroup authentication works | Pi Ba, 09/05/2012 06:36 PM |
Updated by vito B over 13 years ago
i have been using this patch.
have not seen any issues so far.
Updated by Scott Ullrich over 13 years ago
- Status changed from Feedback to New
- Target version changed from 2.0 to 2.1
We need a patch of changes here. auth.inc has diverged too much at this point. And even then Ermal does not agree with parts of this patch so tagging 2.1.
Updated by
Updated by Andy I. over 12 years ago
- File auth.inc auth.inc added
- File system_authservers.php system_authservers.php added
New version for auth.inc and system_authservers.php to allow for an extended LDAP query (Groups or otherwise)
Updated by jpoa poa almost 12 years ago
Greetings!
I was able to use Eric's patch on 2.0.1 (amd64) but Andy's patch was not reading the groups.
Rather then saying one is flawed, I'm suggesting something might have gotten broken. I haven't done heavy testing due to time constraints, just wanted to give a heads up regarding this.
Updated by Pi Ba over 11 years ago
- File auth.inc-2.1-BETA0 2012-9-2 ADgroup authentication works auth.inc-2.1-BETA0 2012-9-2 ADgroup authentication works added
Hi,
ive made a new auth.inc that works for me on "2.1-BETA0 (i386) built on Sun Sep 2 18:21:50 EDT 2012 " based on some basic changes made already by the Eric and Andy.
What works:
-i can check/authenticate if a user is a member of a group (PermissionGroup in below example).
Settings used:
PeerCertificate:chosen CA cert of the Windows 2008 R2 domain controller.
SearchScope: Entire Subtree.
Base DN: DC=myDomain,DC=local
Containers: CN=PermissionGroup,OU=SubGroup,OU=myOU,DC=myDomain,DC=local
Bind credentials UserDN and Password of a valid AD user.
attributes: samAccountName/cn/memberOf
While type and a little more searching it seams its already possible to authenticate groups?!:
The extended configuration setting seams a little strange "memberOf=CN=GroupName,....", but other than that it works already as described best by the screenshot of 'kestral' in [http://forum.pfsense.org/index.php?topic=48961.0]
Im not sure if this would mean this issue can already be closed.?..
Anyway thanks for implementing these changes. Why is it on 90% done.? As it seams to work OK :).
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
Could you please send it in diff format or submit a Pull Request at github? It's hard to track exactly what changes you did since the file was changed on last months.
Updated by Chris Buechler almost 11 years ago
- Target version deleted (
2.1) - Affected Version deleted (
2.0)
Updated by George C almost 11 years ago
Pi Ba wrote:
...
Im not sure if this would mean this issue can already be closed.?..
Anyway thanks for implementing these changes. Why is it on 90% done.? As it seams to work OK :).
Although this patch DOES work for the A.D. side, it BREAKS ldap auth for other ldap backends (namely OSX 10.8 Open Directory, which works fine otherwise).
Updated by Chris Buechler about 8 years ago
- Status changed from Feedback to Closed