Project

General

Profile

Actions
Copy link

Bug #10971

closed

OpenLDAP + group member attribute other than memberUid

Added by Norbert K over 4 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
10/10/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5-p1
Affected Architecture:
amd64

Description

I am trying to connect to OpenLDAP, simple authorization works fine, I can connect as "domain user"
Then I wanted to set up groups. When I create POSIX group in LDAP with memberUid, and same group in pfsense (SystemUser->ManagerGroups->Edit, scope: remote) all works fine, I see groups in Diagnostics - > Authentication

Logs on LDAP server:

Oct 10 15:08:49 openldap slapd[550]:     filter: (&(objectClass=posixGroup)(memberUid=user@my.domain.com))

I change Group member attribute to description and set description in LDAP to my user (I know stupid, but only for tests)

Logs on LDAP server:

Oct 10 15:10:45 openldap slapd[550]:     filter: (&(objectClass=posixGroup)(description=user@my.domain.com))

Everything works fine, I can see groups. So I change Group Object Class to groupOfUniqueNames, create new group in LDAP, set description in LDAP to my user
Logs:

Oct 10 15:39:29 openldap slapd[550]:     filter: (&(objectClass=groupOfUniqueNames)(description=user@my.domain.com))

I see this new group. Perfect!
Now I change Group member attribute to uniquemember and in logs:

Oct 10 15:54:31 openldap slapd[550]:     filter: (&(objectClass=groupOfUniqueNames)(?uniqueMember=user@my.domain.com))

Two questions:
  1. Why attribute is changed to ?uniquemember (additional question mark)?
  2. Why value of attribute wasn't changed to entryDN?
Actions
Copy link
 #1

Updated by Norbert K over 4 years ago

When I change User naming attribute to entryDN, I can log in and see all groups. But it's a bit inconvenient.

Logs: 

Oct 10 19:41:09 openldap slapd[2694]:     filter: (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user,ou=people,dc=my,dc=domain,dc=com))

and additional question mark dissapeared...

Actions
Copy link
 #2

Updated by Jim Pingle over 4 years ago

  • Project changed from pfSense Packages to pfSense
  • Category set to Authentication
  • Status changed from New to Rejected

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions
Copy link

Also available in: Atom PDF