Project

General

Profile

Feature #5461

Add RFC2307bis (LDAP) group membership support to user authentication

Added by Felix Wolfsteller about 5 years ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
11/17/2015
Due date:
% Done:

0%

Estimated time:

Description

As layed out and implemented in Feature #4923 (https://redmine.pfsense.org/issues/4923), LDAP groups can be used if they follow RFC2307.

This is e.g. used by the posixGroup scheme, where attribute (values of memberUID) in the group node specifies the "username" (UID) of the group members.

In contrast to this, RFC2307bis specifies that group memberships are given with full DN, so to speak a link to the user object, as in a groupOfNames-schema solution with members being accessed via the "member" attribute values.

I'd like to see a RFC2307bis- implementation.

The webconfigurator for LDAP Authentication sources currently shows a checkbox to enable RFC2307 group-behaviour, which is interpreted as contrast to a ActiveDirectory "memberOf"-style group-membership-assignment (there, group membership is handled at the User-, not in the Group-Object).

Instead, it could show a selectBox, with RFC23071, RFC2307bis and "AD/memberOf" entries.

Following that, https://redmine.pfsense.org/projects/pfsense/repository/revisions/149efbeac4e6eaa9d8062f26bbc172c86020e231/entry/src/etc/inc/auth.inc#L1036 (src/etc/inc/auth.inc#1036) would have to be adjusted, along these lines

elseif ($authcfg == 'ldap_rfc2307bis') {
  $ldapfilter         = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$userdn}))";
}

(Pardon me, I do not know PHP nor LDAP very well).

While this looks really trivial at first, the "problem" might be to get the $userdn variable set by passing it through from the users successfull authentication or deducing it somehow. As far as I understand it is not supereasiy to pass it down to getUserGroups().

History

#1 Updated by Jim Thompson about 5 years ago

  • Assignee set to Chris Buechler

assigned to cmb for eval

#2 Updated by Felix Wolfsteller about 5 years ago

Possiblly duplicate of #3410 .

#3 Updated by Chris Buechler over 4 years ago

  • Assignee deleted (Chris Buechler)

#4 Updated by Jim Pingle over 1 year ago

  • Category changed from User Manager / Privileges to Authentication

#6 Updated by Viktor Gurov 4 months ago

  • Status changed from New to Resolved

Resolved in #9527

Also available in: Atom PDF