Project

General

Profile

Feature #4923

Add LDAP support for RFC2307 style group membership

Added by Jonathon Reinhart almost 4 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User manager
Target version:
Start date:
08/07/2015
Due date:
% Done:

100%

Estimated time:

Description

Turnkey Linux OpenLDAP (which runs the phpLDAPadmin web UI) seems to define group membership differently than pfSense expects.

The groups are defined fined as one would expect: cn=admins,ou=Groups,dc=example,dc=com

But group membership is defined by a memberUid attribute on the group object.

Here's some example output from ldapvi --discover:

5 cn=jreinhart,ou=Users,dc=example,dc=com
givenName: Jonathon
sn: Reinhart
cn: jreinhart
uid: jreinhart
uidNumber: 1000
gidNumber: 500 
homeDirectory: /home/users/jreinhart
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top 
mail: jreinhart@example.com

6 cn=admins,ou=Groups,dc=example,dc=com
cn: admins
gidNumber: 501 
objectClass: posixGroup
objectClass: top 
memberUid: jreinhart

I'm not sure if this is defined OpenLDAP or phpLDAPadmin, but it's the case on Turnkey Linux OpenLDAP (https://www.turnkeylinux.org/openldap)


From what I gather, pfSense is expecting group membership to be defined by an e.g. memberOf attribute on the user object.

Many users find themselves in a position like me, where we can successfully authenticate with LDAP, but group membership cannot be established:

Can this incompatibility somehow be remedied?

ldap-rfc2307.diff (1.68 KB) ldap-rfc2307.diff Jim Pingle, 08/12/2015 03:25 PM
OpenLDAP.pcapng (1.98 KB) OpenLDAP.pcapng Anonymous, 05/23/2017 08:18 AM

Associated revisions

Revision f6f7f1c2 (diff)
Added by Jim Pingle almost 4 years ago

Add support for LDAP RFC2307 style group membership. Implements #4923

To activate, check the box for RFC2307 in the LDAP server settings and fill in the group object class (typically posixGroup).

Revision 149efbea (diff)
Added by Jim Pingle over 3 years ago

Add support for LDAP RFC2307 style group membership. Resolves #4923

History

#1 Updated by Jonathon Reinhart almost 4 years ago

The sssd-ldap(5) man page (unrelated to this bug, just informational) gives a little more insight into this:

ldap_schema (string)
           Specifies the Schema Type in use on the target LDAP server. Depending on the selected schema, the default attribute
           names retrieved from the servers may vary. The way that some attributes are handled may also differ.

           Four schema types are currently supported:

           ·   rfc2307

           ·   rfc2307bis

           ·   IPA

           ·   AD

           The main difference between these schema types is how group memberships are recorded in the server. With rfc2307, group
           members are listed by name in the memberUid attribute. With rfc2307bis and IPA, group members are listed by DN and
           stored in the member attribute. The AD schema type sets the attributes to correspond with Active Directory 2008r2
           values.

           Default: rfc2307

It appears that pfSense is expecting an Active Directory type schema, whereas The default OpenLDAP schema is following RFC2307, with a memberUid attribute.

So I guess this is a feature request to support RFC2307. When I get some time, I may look into hacking at this.

#2 Updated by Jim Pingle almost 4 years ago

  • Subject changed from LDAP group membership incompatible with Turnkey Linux OpenLDAP / phpLDAPadmin to Add LDAP support for RFC2307 style group membership
  • Category set to User manager

Changed the subject of the ticket to be a little more accurate. I was looking at this a few weeks ago myself but with a basic LDAP setup in OpenLDAP and not specifically with Turnkey Linux. There are some tutorials out there for changing OpenLDAP to use a rfc2307bis schema, but none of them were viable or had various other issues.

#3 Updated by Jim Pingle almost 4 years ago

Attached patch is a bit of a hack but is just a proof of concept -- when applied it will find groups for the users in the way RFC2307 expects, though I had to hardcode the group objectClass as posixGroup.

Worst case, we may need a checkbox or drop-down to choose RFC2307 vs AD style group lookups (needs a better name) and another field to enter the group objectClass when selected. Patching into 2.2.x may not be too hard but 2.3 will have to wait until after the new GUI is merged.

To find the user entries in RFC2307 style you need a filter like this (find all groups containing the username as a Member):
  • Base DN = the Base DN for the LDAP server, Filter = (&(objectClass=posixGroup)(memberUid=username)), memberUid attribute required in response

The response is an array of groups that need parsed in a style as shown in the attached patch.

To find the user entries in AD style, you need a filter like this (find all groups listed on the user record in memberOf):
  • Base DN = the user's DN, Filter = (cn=$username), memberOf attribute required in response

The response is the user entry and the memberOf attribute contains an array of group names.

When adding the new option it should default to the current AD style

#4 Updated by Jim Pingle almost 4 years ago

Added a checkbox for RFC2307 and an input field for the group object class (defaults to posixGroup). To activate, check the box and fill in the group object class. Works fine here with a default OpenLDAP style setup. Box defaults to unchecked for the existing behavior which still works fine with AD.

#5 Updated by Jim Pingle almost 4 years ago

Leaving this open because the code will need to be brought into 2.3 after the bootstrap merge.

#6 Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#7 Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Assigned

#8 Updated by Jim Pingle over 3 years ago

  • Status changed from Assigned to Feedback

#9 Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

This has been working for a while now.

#10 Updated by Felix Wolfsteller over 3 years ago

It does not work for me as I expected, but I have to admit that I am a LDAP-noop.

My setup contains of

ou=Groups,dc=siebenlinden,dc=de
, under which we find
groupOfNames and
ou=People,dc=siebenlinden,dc=de
, where we find
posixAccount,organizationalPeople,person and InetOrgPerson.

As authentication containers, I give ou=People,dc=siebenlinden,dc=de .
User naming attribute is "uid", group naming attribe "cn" and group member attribute "member".

I ticked the RFC2307-Checkbox.
The respective group I test is also added as "pfsense-group". Authentication via Diagnostics->Authentication works, but the groups are not shown.

I also installed the memberOf overlay (server is slapd 2.4.31-1+nmu2ubuntu8.2, ubuntu 14.04), but as far as i understood (and what tools like ldapsearch seem to confirm) this does work for FILTERING objects, but does not really add the attribute. The tests to use this but without the RFC2307-Box ticked also failed.

Is there any way to debug this issue further for me?

pfsense is at 2.2.5-RELEASE (i386) .

#11 Updated by Felix Wolfsteller over 3 years ago

Btw this is also featured in Feature #2869 iiuc.

#12 Updated by Felix Wolfsteller over 3 years ago

I tried to find the code that does the ldap group lookup. If I am not mistaken, it is located at https://redmine.pfsense.org/projects/pfsense/repository/revisions/149efbeac4e6eaa9d8062f26bbc172c86020e231/entry/src/etc/inc/auth.inc#L1036 (root/src/etc/inc/auth.inc#1036).

I then fired up ldapsearch with the guessed parameters:

 ldapsearch -h MYHOST -W -b dc=siebenlinden,dc=de -D cn=ADMIN_CN -s sub '(&(objectClass=groupofnames)(member=FIRSTNAME.LASTNAME))'

with CAPITALS filled correctly (FIRSTNAME.LASTNAME is the users uid).
To this query there were no results.

If I however correctly give the full DN as member-"variable", like

 ldapsearch -h MYHOST -W -b dc=siebenlinden,dc=de -D cn=ADMIN_CN -s sub '(&(objectClass=groupofnames)(member=DN_OF_USER))'

the command resulted in the correct groups.

That makes sense to me. The code (and maybe RFC2307) assumes that the member attribute is filled with the username, whereas the typical setup and apparently the scheme wants to have a DN there. Probably there are different between posixGroup/memberUid and groupOfNames/member ...?

#13 Updated by Felix Wolfsteller over 3 years ago

Felix Wolfsteller wrote:

That makes sense to me. The code (and maybe RFC2307) assumes that the member attribute is filled with the username, whereas the typical setup and apparently the scheme wants to have a DN there. Probably there are different between posixGroup/memberUid and groupOfNames/member ...?

Man, I am sorry, that should not happen, the first answer to this feature request stated the differences between rfc2307 ("memberuid" with ...well uid) and rfc2307bis ("member" with dn).

Also, I could get the RFC2307-style (posixGroup with memberuid) working, by broadening the search scope to "entire subtree". Awesome. I understood some php code.

I opened a Feature Request for rfc2307bis support:
https://redmine.pfsense.org/issues/5461 .

#14 Updated by Jim Pingle about 2 years ago

This is not a support system. For help, please post on the forum, mailing list, or use another support method.

#15 Updated by Anonymous about 2 years ago

#16 Updated by Jim Pingle about 2 years ago

This bug is old, and resolved. It works perfectly, and I use it every day. If you have an issue it is different than this. Discuss the issue first on the forum, mailing list, reddit, etc. Do not open a new issue until after it has been discussed and configuration issues have been ruled out definitively by others.

Also available in: Atom PDF