Feature #9527
closed
Add ability for LDAP extended query on groups in RFC2307 containers.
100%
Description
We have successfully deployed OpenLDAP authentication on several pfSense units, but needed to limit access to certain units based on LDAP group definitions. Support for this seems to be included for Active Directory implementations via the 'Extended Query' functionality, but when the LDAP directory uses RFC 2307 style group membership, the Extended Query does not have the ability to query the group container - I had no replies in the forum on this ability, so took at look at the PHP codebase which verified that it was not currently implemented.
I have put together a patch, that will abstract out the group container query, using the Extended Query syntax when the RFC2307 checkbox is selected. It will walk though the Authentication containers as per the original code.
I have attached the patch for comment, and to gauge interest in applying this to the main codebase.
Files
Related issues
Updated by Jim Pingle almost 5 years ago
- Category set to User Manager / Privileges
- Target version set to 2.5.0
This looks good to me at a glance, do you mind submitting this as a pull request on Github?
https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html
Thanks!
Updated by Steve Powers almost 5 years ago
I noticed there was an erroneous reference to $userdn in the last debug() function, this updated patch removes that:
Updated by Steve Powers almost 5 years ago
Jim Pingle wrote:
This looks good to me at a glance, do you mind submitting this as a pull request on Github?
https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html
Thanks!
I have submitted a pull request. Many thanks.
Updated by Jim Pingle over 4 years ago
- Category changed from User Manager / Privileges to Authentication
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Chris Linstruth almost 4 years ago
I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"
What directory lists group members as simple usernames and not DNs?
Updated by Viktor Gurov almost 4 years ago
Chris Linstruth wrote:
I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"
What directory lists group members as simple usernames and not DNs?
Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov almost 4 years ago
- Status changed from Feedback to Resolved
works as expected on 2.5.0.a.20200716.1250
tested with FreeIPA server 4.8.4
Search example:
ldapsearch -h 192.168.1.11 -p 389 -D uid=admin,cn=users,cn=accounts,dc=lab,dc=int -w123 -b 'dc=lab,dc=int' "(&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))" # extended LDIF # # LDAPv3 # base <dc=lab,dc=int> with scope subtree # filter: (&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*))) # requesting: ALL # # vpnipa, groups, accounts, lab.int dn: cn=vpnipa,cn=groups,cn=accounts,dc=lab,dc=int cn: vpnipa objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2 gidNumber: 1000000004 member: uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int
Updated by Viktor Gurov almost 4 years ago
- Status changed from Resolved to Feedback
it works only if parent container is selected in the Authentication containers field, i.e.:
Authentication containers = cn=accounts,dc=lab,dc=int
but if cn=users,cn=accounts,dc=lab,dc=int and cn=groups,cn=accounts,dc=lab,dc=int is selected in the Authentication containers field, it doesn't work
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to New
I reverted e924485c9e681771806fe3ee63ed746152fcbcb9 -- Previously working LDAP servers started to fail with no change in configuration. All attempts to bind resulted in "Extended group search resulted in error: Bad search filter"
Updated by Viktor Gurov over 3 years ago
Jim Pingle wrote:
I reverted e924485c9e681771806fe3ee63ed746152fcbcb9 -- Previously working LDAP servers started to fail with no change in configuration. All attempts to bind resulted in "Extended group search resulted in error: Bad search filter"
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Anonymous over 3 years ago
- Assignee changed from Renato Botelho to Steve Powers
Updated by Chris Linstruth over 3 years ago
- Status changed from Feedback to Resolved
Tested against FreeIPA. Looks like it works great. Thank you!
Updated by Viktor Gurov about 2 years ago
- Related to Bug #13093: LDAP authentication fails with extended query and RFC2307 group lookups enabled added