Feature #4923: Add LDAP support for RFC2307 style group membership - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #4923

closed

Add LDAP support for RFC2307 style group membership

Added by Jonathon Reinhart over 9 years ago. Updated over 7 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

User Manager / Privileges

Target version:

2.3

Start date:

08/07/2015

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

Turnkey Linux OpenLDAP (which runs the phpLDAPadmin web UI) seems to define group membership differently than pfSense expects.

The groups are defined fined as one would expect: cn=admins,ou=Groups,dc=example,dc=com

But group membership is defined by a memberUid attribute on the group object.

Here's some example output from ldapvi --discover:

5 cn=jreinhart,ou=Users,dc=example,dc=com
givenName: Jonathon
sn: Reinhart
cn: jreinhart
uid: jreinhart
uidNumber: 1000
gidNumber: 500 
homeDirectory: /home/users/jreinhart
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top 
mail: jreinhart@example.com

6 cn=admins,ou=Groups,dc=example,dc=com
cn: admins
gidNumber: 501 
objectClass: posixGroup
objectClass: top 
memberUid: jreinhart

I'm not sure if this is defined OpenLDAP or phpLDAPadmin, but it's the case on Turnkey Linux OpenLDAP (https://www.turnkeylinux.org/openldap)

From what I gather, pfSense is expecting group membership to be defined by an e.g. memberOf attribute on the user object.

Many users find themselves in a position like me, where we can successfully authenticate with LDAP, but group membership cannot be established:

https://forum.pfsense.org/index.php?topic=67546.0
https://forum.pfsense.org/index.php?topic=64180.0
https://forum.pfsense.org/index.php?topic=48961.0

Can this incompatibility somehow be remedied?

Files

Download all files

ldap-rfc2307.diff (1.68 KB) ldap-rfc2307.diff		Jim Pingle, 08/12/2015 03:25 PM
OpenLDAP.pcapng (1.98 KB) OpenLDAP.pcapng		Anonymous, 05/23/2017 08:18 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jonathon Reinhart over 9 years ago

The sssd-ldap(5) man page (unrelated to this bug, just informational) gives a little more insight into this:

ldap_schema (string)
           Specifies the Schema Type in use on the target LDAP server. Depending on the selected schema, the default attribute
           names retrieved from the servers may vary. The way that some attributes are handled may also differ.

           Four schema types are currently supported:

           ·   rfc2307

           ·   rfc2307bis

           ·   IPA

           ·   AD

           The main difference between these schema types is how group memberships are recorded in the server. With rfc2307, group
           members are listed by name in the memberUid attribute. With rfc2307bis and IPA, group members are listed by DN and
           stored in the member attribute. The AD schema type sets the attributes to correspond with Active Directory 2008r2
           values.

           Default: rfc2307

It appears that pfSense is expecting an Active Directory type schema, whereas The default OpenLDAP schema is following RFC2307, with a memberUid attribute.

So I guess this is a feature request to support RFC2307. When I get some time, I may look into hacking at this.

Actions

Copy link

Updated by Jim Pingle over 9 years ago

Subject changed from LDAP group membership incompatible with Turnkey Linux OpenLDAP / phpLDAPadmin to Add LDAP support for RFC2307 style group membership
Category set to User Manager / Privileges

Changed the subject of the ticket to be a little more accurate. I was looking at this a few weeks ago myself but with a basic LDAP setup in OpenLDAP and not specifically with Turnkey Linux. There are some tutorials out there for changing OpenLDAP to use a rfc2307bis schema, but none of them were viable or had various other issues.

Actions

Copy link

Updated by Jim Pingle over 9 years ago

File ldap-rfc2307.diff ldap-rfc2307.diff added
Assignee set to Jim Pingle
Target version set to 2.3
Affected Architecture All added
Affected Architecture deleted ()

Attached patch is a bit of a hack but is just a proof of concept -- when applied it will find groups for the users in the way RFC2307 expects, though I had to hardcode the group objectClass as posixGroup.

Worst case, we may need a checkbox or drop-down to choose RFC2307 vs AD style group lookups (needs a better name) and another field to enter the group objectClass when selected. Patching into 2.2.x may not be too hard but 2.3 will have to wait until after the new GUI is merged.

To find the user entries in RFC2307 style you need a filter like this (find all groups containing the username as a Member):

Base DN = the Base DN for the LDAP server, Filter = (&(objectClass=posixGroup)(memberUid=username)), memberUid attribute required in response

The response is an array of groups that need parsed in a style as shown in the attached patch.

To find the user entries in AD style, you need a filter like this (find all groups listed on the user record in memberOf):

Base DN = the user's DN, Filter = (cn=$username), memberOf attribute required in response

The response is the user entry and the memberOf attribute contains an array of group names.

When adding the new option it should default to the current AD style

Actions

Copy link

Updated by Jim Pingle over 9 years ago

Added a checkbox for RFC2307 and an input field for the group object class (defaults to posixGroup). To activate, check the box and fill in the group object class. Works fine here with a default OpenLDAP style setup. Box defaults to unchecked for the existing behavior which still works fine with AD.

Actions

Copy link

Updated by Jim Pingle over 9 years ago

Leaving this open because the code will need to be brought into 2.3 after the bootstrap merge.

Actions

Copy link

Updated by Jim Pingle over 9 years ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset f6f7f1c244929016d2ab4664df6d969f664a54f0.

Actions

Copy link

Updated by Jim Pingle over 9 years ago

Status changed from Feedback to Assigned

Actions

Copy link

Updated by Jim Pingle about 9 years ago

Status changed from Assigned to Feedback

Applied in changeset 149efbeac4e6eaa9d8062f26bbc172c86020e231.

Actions

Copy link

Updated by Jim Pingle about 9 years ago

Status changed from Feedback to Resolved

This has been working for a while now.

Actions

Copy link

#10

Updated by Felix Wolfsteller about 9 years ago

It does not work for me as I expected, but I have to admit that I am a LDAP-noop.

My setup contains of

ou=Groups,dc=siebenlinden,dc=de

, under which we find
groupOfNames and

ou=People,dc=siebenlinden,dc=de

, where we find
posixAccount,organizationalPeople,person and InetOrgPerson.

As authentication containers, I give ou=People,dc=siebenlinden,dc=de .
User naming attribute is "uid", group naming attribe "cn" and group member attribute "member".

I ticked the RFC2307-Checkbox.
The respective group I test is also added as "pfsense-group". Authentication via Diagnostics->Authentication works, but the groups are not shown.

I also installed the memberOf overlay (server is slapd 2.4.31-1+nmu2ubuntu8.2, ubuntu 14.04), but as far as i understood (and what tools like ldapsearch seem to confirm) this does work for FILTERING objects, but does not really add the attribute. The tests to use this but without the RFC2307-Box ticked also failed.

Is there any way to debug this issue further for me?

pfsense is at 2.2.5-RELEASE (i386) .

Actions

Copy link

#11

Updated by Felix Wolfsteller about 9 years ago

Btw this is also featured in Feature #2869 iiuc.

Actions

Copy link

#12

Updated by Felix Wolfsteller about 9 years ago

I tried to find the code that does the ldap group lookup. If I am not mistaken, it is located at https://redmine.pfsense.org/projects/pfsense/repository/revisions/149efbeac4e6eaa9d8062f26bbc172c86020e231/entry/src/etc/inc/auth.inc#L1036 (root/src/etc/inc/auth.inc#1036).

I then fired up ldapsearch with the guessed parameters:

 ldapsearch -h MYHOST -W -b dc=siebenlinden,dc=de -D cn=ADMIN_CN -s sub '(&(objectClass=groupofnames)(member=FIRSTNAME.LASTNAME))'

with CAPITALS filled correctly (FIRSTNAME.LASTNAME is the users uid).
To this query there were no results.

If I however correctly give the full DN as member-"variable", like

 ldapsearch -h MYHOST -W -b dc=siebenlinden,dc=de -D cn=ADMIN_CN -s sub '(&(objectClass=groupofnames)(member=DN_OF_USER))'

the command resulted in the correct groups.

That makes sense to me. The code (and maybe RFC2307) assumes that the member attribute is filled with the username, whereas the typical setup and apparently the scheme wants to have a DN there. Probably there are different between posixGroup/memberUid and groupOfNames/member ...?

Actions

Copy link

#13

Updated by Felix Wolfsteller about 9 years ago

Felix Wolfsteller wrote:

That makes sense to me. The code (and maybe RFC2307) assumes that the member attribute is filled with the username, whereas the typical setup and apparently the scheme wants to have a DN there. Probably there are different between posixGroup/memberUid and groupOfNames/member ...?

Man, I am sorry, that should not happen, the first answer to this feature request stated the differences between rfc2307 ("memberuid" with ...well uid) and rfc2307bis ("member" with dn).

Also, I could get the RFC2307-style (posixGroup with memberuid) working, by broadening the search scope to "entire subtree". Awesome. I understood some php code.

I opened a Feature Request for rfc2307bis support:
https://redmine.pfsense.org/issues/5461 .

Actions

Copy link

#14

Updated by Jim Pingle over 7 years ago

This is not a support system. For help, please post on the forum, mailing list, or use another support method.

Actions

Copy link

#15

Updated by Anonymous over 7 years ago

File OpenLDAP.pcapng OpenLDAP.pcapng added

Actions

Copy link

#16

Updated by Jim Pingle over 7 years ago

This bug is old, and resolved. It works perfectly, and I use it every day. If you have an issue it is different than this. Discuss the issue first on the forum, mailing list, reddit, etc. Do not open a new issue until after it has been discussed and configuration issues have been ruled out definitively by others.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #4923

Add LDAP support for RFC2307 style group membership

Updated by Jonathon Reinhart over 9 years ago

Updated by Jim Pingle over 9 years ago

Updated by Jim Pingle over 9 years ago

Updated by Jim Pingle over 9 years ago

Updated by Jim Pingle over 9 years ago

Updated by Jim Pingle over 9 years ago

Updated by Jim Pingle over 9 years ago

Updated by Jim Pingle about 9 years ago

Updated by Jim Pingle about 9 years ago

Updated by Felix Wolfsteller about 9 years ago

Updated by Felix Wolfsteller about 9 years ago

Updated by Felix Wolfsteller about 9 years ago

Updated by Felix Wolfsteller about 9 years ago

Updated by Jim Pingle over 7 years ago

Updated by Anonymous over 7 years ago

Updated by Jim Pingle over 7 years ago