Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers. - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #9527

closed

Add ability for LDAP extended query on groups in RFC2307 containers.

Added by Steve Powers almost 5 years ago. Updated over 3 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Steve Powers

Category:

Authentication

Target version:

2.5.0

Start date:

05/16/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

We have successfully deployed OpenLDAP authentication on several pfSense units, but needed to limit access to certain units based on LDAP group definitions. Support for this seems to be included for Active Directory implementations via the 'Extended Query' functionality, but when the LDAP directory uses RFC 2307 style group membership, the Extended Query does not have the ability to query the group container - I had no replies in the forum on this ability, so took at look at the PHP codebase which verified that it was not currently implemented.

I have put together a patch, that will abstract out the group container query, using the Extended Query syntax when the RFC2307 checkbox is selected. It will walk though the Authentication containers as per the original code.

I have attached the patch for comment, and to gauge interest in applying this to the main codebase.

Files

Download all files

pfSense_LDAP_RFC2307GroupFilter.diff (3.56 KB) pfSense_LDAP_RFC2307GroupFilter.diff		Steve Powers, 05/16/2019 07:06 AM
pfSense_LDAP_RFC2307GroupFilter.diff (3.48 KB) pfSense_LDAP_RFC2307GroupFilter.diff		Steve Powers, 05/16/2019 07:21 AM

Related issues

Related to Bug #13093: LDAP authentication fails with extended query and RFC2307 group lookups enabled

Feedback

Jim Pingle

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle almost 5 years ago

Category set to User Manager / Privileges
Target version set to 2.5.0

This looks good to me at a glance, do you mind submitting this as a pull request on Github?

https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

Thanks!

Actions

Copy link

Updated by Steve Powers almost 5 years ago

File pfSense_LDAP_RFC2307GroupFilter.diff pfSense_LDAP_RFC2307GroupFilter.diff added

I noticed there was an erroneous reference to $userdn in the last debug() function, this updated patch removes that:

Actions

Copy link

Updated by Steve Powers almost 5 years ago

Jim Pingle wrote:

This looks good to me at a glance, do you mind submitting this as a pull request on Github?

https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

Thanks!

I have submitted a pull request. Many thanks.

https://github.com/pfsense/pfsense/pull/4067

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Category changed from User Manager / Privileges to Authentication

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from New to Pull Request Review

Actions

Copy link

Updated by Renato Botelho over 4 years ago

Status changed from Pull Request Review to Feedback
Assignee set to Renato Botelho
% Done changed from 0 to 100

PR has been merged. Thanks!

Actions

Copy link

Updated by Chris Linstruth almost 4 years ago

I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"

What directory lists group members as simple usernames and not DNs?

Actions

Copy link

Updated by Viktor Gurov almost 4 years ago

Chris Linstruth wrote:

I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"

What directory lists group members as simple usernames and not DNs?

Fix:
https://github.com/pfsense/pfsense/pull/4366

Actions

Copy link

Updated by Jim Pingle almost 4 years ago

Status changed from Feedback to Pull Request Review

Actions

Copy link

#10

Updated by Renato Botelho almost 4 years ago

Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions

Copy link

#11

Updated by Viktor Gurov almost 4 years ago

Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200716.1250
tested with FreeIPA server 4.8.4

Search example:

ldapsearch -h 192.168.1.11 -p 389 -D uid=admin,cn=users,cn=accounts,dc=lab,dc=int -w123 -b 'dc=lab,dc=int' "(&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))" 
# extended LDIF
#
# LDAPv3
# base <dc=lab,dc=int> with scope subtree
# filter: (&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))
# requesting: ALL
#

# vpnipa, groups, accounts, lab.int
dn: cn=vpnipa,cn=groups,cn=accounts,dc=lab,dc=int
cn: vpnipa
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2
gidNumber: 1000000004
member: uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int

Actions

Copy link

#13

Updated by Viktor Gurov over 3 years ago

Status changed from Resolved to Feedback

it works only if parent container is selected in the Authentication containers field, i.e.:
Authentication containers = cn=accounts,dc=lab,dc=int

but if cn=users,cn=accounts,dc=lab,dc=int and cn=groups,cn=accounts,dc=lab,dc=int is selected in the Authentication containers field, it doesn't work

Actions

Copy link

#14

Updated by Jim Pingle over 3 years ago

Status changed from Feedback to New

I reverted e924485c9e681771806fe3ee63ed746152fcbcb9 -- Previously working LDAP servers started to fail with no change in configuration. All attempts to bind resulted in "Extended group search resulted in error: Bad search filter"

Actions

Copy link

#15

Updated by Viktor Gurov over 3 years ago

Jim Pingle wrote:

I reverted e924485c9e681771806fe3ee63ed746152fcbcb9 -- Previously working LDAP servers started to fail with no change in configuration. All attempts to bind resulted in "Extended group search resulted in error: Bad search filter"

Fixed:
https://github.com/pfsense/pfsense/pull/4458

Actions

Copy link

#16