Project

General

Profile

Feature #9527

Add ability for LDAP extended query on groups in RFC2307 containers.

Added by Steve Powers about 1 year ago. Updated 16 days ago.

Status:
Feedback
Priority:
Normal
Category:
Authentication
Target version:
Start date:
05/16/2019
Due date:
% Done:

100%

Estimated time:

Description

We have successfully deployed OpenLDAP authentication on several pfSense units, but needed to limit access to certain units based on LDAP group definitions. Support for this seems to be included for Active Directory implementations via the 'Extended Query' functionality, but when the LDAP directory uses RFC 2307 style group membership, the Extended Query does not have the ability to query the group container - I had no replies in the forum on this ability, so took at look at the PHP codebase which verified that it was not currently implemented.

I have put together a patch, that will abstract out the group container query, using the Extended Query syntax when the RFC2307 checkbox is selected. It will walk though the Authentication containers as per the original code.

I have attached the patch for comment, and to gauge interest in applying this to the main codebase.

Associated revisions

Revision 0a9163aa (diff)
Added by Steve Powers about 1 year ago

Feature #9527 - LDAP extended query on groups in RFC2307 containers.

Revision e924485c (diff)
Added by Viktor Gurov about 1 month ago

Use user DN for RFC2307 membership search. Issue #9527

History

#1 Updated by Jim Pingle about 1 year ago

  • Category set to User Manager / Privileges
  • Target version set to 2.5.0

This looks good to me at a glance, do you mind submitting this as a pull request on Github?

https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

Thanks!

#2 Updated by Steve Powers about 1 year ago

I noticed there was an erroneous reference to $userdn in the last debug() function, this updated patch removes that:

#3 Updated by Steve Powers about 1 year ago

Jim Pingle wrote:

This looks good to me at a glance, do you mind submitting this as a pull request on Github?

https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

Thanks!

I have submitted a pull request. Many thanks.

https://github.com/pfsense/pfsense/pull/4067

#4 Updated by Jim Pingle 12 months ago

  • Category changed from User Manager / Privileges to Authentication

#5 Updated by Jim Pingle 11 months ago

  • Status changed from New to Pull Request Review

#6 Updated by Renato Botelho 10 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#7 Updated by Chris Linstruth about 2 months ago

I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"

What directory lists group members as simple usernames and not DNs?

#8 Updated by Viktor Gurov about 1 month ago

Chris Linstruth wrote:

I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"

What directory lists group members as simple usernames and not DNs?

Fix:
https://github.com/pfsense/pfsense/pull/4366

#9 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Pull Request Review

#10 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#11 Updated by Viktor Gurov 20 days ago

See also #5461

#12 Updated by Viktor Gurov 19 days ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200716.1250
tested with FreeIPA server 4.8.4

Search example:

ldapsearch -h 192.168.1.11 -p 389 -D uid=admin,cn=users,cn=accounts,dc=lab,dc=int -w123 -b 'dc=lab,dc=int' "(&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))" 
# extended LDIF
#
# LDAPv3
# base <dc=lab,dc=int> with scope subtree
# filter: (&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))
# requesting: ALL
#

# vpnipa, groups, accounts, lab.int
dn: cn=vpnipa,cn=groups,cn=accounts,dc=lab,dc=int
cn: vpnipa
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2
gidNumber: 1000000004
member: uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int

#13 Updated by Viktor Gurov 16 days ago

  • Status changed from Resolved to Feedback

it works only if parent container is selected in the Authentication containers field, i.e.:
Authentication containers = cn=accounts,dc=lab,dc=int

but if cn=users,cn=accounts,dc=lab,dc=int and cn=groups,cn=accounts,dc=lab,dc=int is selected in the Authentication containers field, it doesn't work

Also available in: Atom PDF