Project

General

Profile

Actions

Bug #10492

closed

LDAP groups conflict in privileges

Added by Viktor Gurov over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
04/23/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5
Affected Architecture:

Description

I am running pfSense 2.4.5-RELEASE with a 389 Directory Server for LDAP user authentication.

I have configured the authentication server section on pfSense based on the official documentation and have confirmed that my LDAP admin user is detected properly at "Diagnostics-> Authentication":

User admin authenticated successfully. This user is a member of groups:

admins

The admins user group at pfSense has the following privileges assigned:

WebCfg - All pages
User - System: Shell account access

However, when logging in with the admin LDAP user on the system, I do not get admin rights.


Details:

My LDAP admin user is part of two groups in LDAP:
admins: for full admin access
basic: for basic access to some tools
The two groups are also configured in pfSense, with the basic group being configured with the following privileges:
User - Config: Deny Config Write
User - Notices: View
WebCfg - Dashboard (all)
WebCfg - Diagnostics: ARP Table
WebCfg - Diagnostics: CPU Utilization
WebCfg - Diagnostics: DNS Lookup
WebCfg - Diagnostics: iperf client
WebCfg - Diagnostics: iperf server
WebCfg - Diagnostics: nmap package
WebCfg - Diagnostics: Ping
WebCfg - Diagnostics: Show States
WebCfg - Diagnostics: States Summary
WebCfg - Diagnostics: Test Port
WebCfg - Diagnostics: Traceroute
WebCfg - Firewall: NAT: 1:1
WebCfg - Firewall: NAT: NPt
WebCfg - Firewall: NAT: Outbound
WebCfg - Firewall: NAT: Port Forward
WebCfg - Firewall: Rules
WebCfg - Interfaces: Bridge
WebCfg - Interfaces: Groups
WebCfg - Interfaces: LAGG:
WebCfg - Interfaces: VLAN
WebCfg - Status: Logs: DHCP
WebCfg - Status: Logs: Firewall
WebCfg - Status: Logs: Gateways
WebCfg - Status: Logs: VPN
WebCfg - Status: Monitoring
WebCfg - Status: NTP
WebCfg - Status: OpenVPN
WebCfg - Status: System Logs: Firewall (Dynamic View)
WebCfg - Status: System Logs: Firewall Log Summary
WebCfg - Status: System Logs: NTP
WebCfg - Status: System Logs: OpenVPN
WebCfg - Status: System Logs: Portal Auth
WebCfg - Status: System Logs: Routing
WebCfg - Status: Traffic Graph
WebCfg - Status: DHCP leases
WebCfg - Status: Interfaces
WebCfg - Status: Services
WebCfg - Diagnostics: Sockets
WebCfg - Diagnostics: System Activity
User - System: Shell account access

The problem is that when authenticating against LDAP from the pfSense box, the LDAP admin user is identified as belonging to both the admins and the basic groups, causing a conflict in privileges. I could access all of the pages, yet I was unable to make changes in some (such as user configs or making firewall rule changes).

As a temporary solution, I have removed the LDAP admin user from the basic group and I can manage the firewall successfully. However, I will need to add the group membership back for other tools to work.

In my opinion, if a user has the "WebCfg - All pages" privilege, pfSense should overwrite any lower right from being a member of another group.

Actions

Also available in: Atom PDF