pfSense

As layed out and implemented in Feature #4923 (https://redmine.pfsense.org/issues/4923), LDAP groups can be used if they follow RFC2307.

This is e.g. used by the posixGroup scheme, where attribute (values of memberUID) in the group node specifies the "username" (UID) of the group members.

In contrast to this, RFC2307bis specifies that group memberships are given with full DN, so to speak a link to the user object, as in a groupOfNames-schema solution with members being accessed via the "member" attribute values.

I'd like to see a RFC2307bis- implementation.

The webconfigurator for LDAP Authentication sources currently shows a checkbox to enable RFC2307 group-behaviour, which is interpreted as contrast to a ActiveDirectory "memberOf"-style group-membership-assignment (there, group membership is handled at the User-, not in the Group-Object).

Instead, it could show a selectBox, with RFC23071, RFC2307bis and "AD/memberOf" entries.

Following that, https://redmine.pfsense.org/projects/pfsense/repository/revisions/149efbeac4e6eaa9d8062f26bbc172c86020e231/entry/src/etc/inc/auth.inc#L1036 (src/etc/inc/auth.inc#1036) would have to be adjusted, along these lines

elseif ($authcfg == 'ldap_rfc2307bis') {
  $ldapfilter         = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$userdn}))";
}

(Pardon me, I do not know PHP nor LDAP very well).

While this looks really trivial at first, the "problem" might be to get the $userdn variable set by passing it through from the users successfull authentication or deducing it somehow. As far as I understand it is not supereasiy to pass it down to getUserGroups().