pfSense

I also was expecting that this would work out of the box.

For me the setup is as follows (and I think it resembles a "typical" use case):

• pfSense appliance with only one local admin user.
• As further User authentication server an openldap running on a different host.
• Furthermore, groups setup in openLDAP and pfsense, respectively. The relevant group has only Captive Portal Login privileges.

As Diagnostics->Authentication showed that my openldap test account is member of the "correct" group I assumed that after enabling CP everything should work fine (although I was shortly puzzled by the word "local" in the CP authentication settings). And of course ticking the option whether group memberships should be checked or not did not have any effect.

Btw, this issue was also raised at the forums over at https://forum.pfsense.org/index.php?topic=87869.0 . It quickly mentions in which order the authentication sources should be checked (currently User Manager->Servers cannot be ordered).

After browsing the codebase a bit I am surprised how much understanding I gained in a short amount of time.

I think not much is missing:

A rough implementation sketch that preserves backwards compatibility:

1. On Services:Captive portal: <zone> page
   "Authentication" Section:
• Add another radiobutton
  o Local User Manager and all <a href=".../system_authservers.php">configured additional Servers</a>/ Vouchers
  o Allow only... #checkbox like in other entry
• Pass this value (say "local_plus") down to further procesing if ticked (I dont know php and the rest of the codebase)

1. Copy https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L237-L254
   and modify cpcfg['auth_method'] "local" to "local_plus" or whatever name from 1).
• After the "//check against local user manager"-block iterate over the ldap-backends and call
  

  $loginok = ldap_backend($_POST['auth_user'], $_POST['auth_pass']);

• Handle the result accordingly for each. Early stop at a success if privilege check passes. Otherwise set $errormsg, or accumulate them along the way. Decorate with log-entries at will.

It seems a rather trivial change to me (at least code-wise). I'd be super happy to patch my system by actually changing https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L240 (s/local/ldap), but unfortunately ldap_backend takes an additional parameter, the ldap-backend configuration. If somebody can tell me how to access the first one available to the system and confirm that this will not break updates, I would hack my pfSense instance immidiatly ...

Felix Wolfsteller wrote:

1. Copy https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L237-L254
   and modify cpcfg['auth_method'] "local" to "local_plus" or whatever name from 1).
• After the "//check against local user manager"-block iterate over the ldap-backends and call
  [...]
• Handle the result accordingly for each. Early stop at a success if privilege check passes. Otherwise set $errormsg, or accumulate them along the way. Decorate with log-entries at will.

$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
$loginok = authenticate_user($_POST['auth_user'], $_POST['auth_pass'], $authcfg, NULL);

With some help from PiBa-NL via IRC I can confirm that the hackish approach works fine.

$authcfg = auth_get_authserver("YOUR LDAP BACKEND NAME");
$_attributes = array();
$loginok = authenticate_user($_POST['auth_user'], $_POST['auth_pass'], $authcfg, $_attributes);

I'm interested to this feature. It will be officially implemented?

Any chance an implementation as outlined above would make it into upstream? Would be happy to give the implementation a try, but time-to-try is limited.

https://github.com/pfsense/pfsense/pull/3117 implementation works on 2.4 BETA 09 Aug 2017

Another potential PR: https://github.com/pfsense/pfsense/pull/3640

I confirm that LDAP is working correctly now
This issue can be marked as resolved