Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers. - pfSense (original) (raw)
Category set to User Manager / Privileges
Target version set to 2.5.0
Category changed from User Manager / Privileges to Authentication
Status changed from New to Pull Request Review
Status changed from Pull Request Review to Feedback
Assignee set to Renato Botelho
% Done changed from 0 to 100
PR has been merged. Thanks!
I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"
What directory lists group members as simple usernames and not DNs?
Chris Linstruth wrote:
I don't think this is quite flexible enough. In the case of FreeIPA, for instance, the posixGroups list the member DNs in the member: attributes. This will not match because it is only searching for "(member=$username)" not "(member=$dn_returned_by_initial_user_query)"
What directory lists group members as simple usernames and not DNs?
Fix:
https://github.com/pfsense/pfsense/pull/4366
Status changed from Feedback to Pull Request Review
Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
- Status changed from Feedback to Resolved
works as expected on 2.5.0.a.20200716.1250
tested with FreeIPA server 4.8.4
Search example:
ldapsearch -h 192.168.1.11 -p 389 -D uid=admin,cn=users,cn=accounts,dc=lab,dc=int -w123 -b 'dc=lab,dc=int' "(&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))"
extended LDIF
LDAPv3
base <dc=lab,dc=int> with scope subtree
filter: (&(member=uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int)(&(objectClass=groupofnames)(cn=vpnipa)(member=*)))
requesting: ALL
vpnipa, groups, accounts, lab.int
dn: cn=vpnipa,cn=groups,cn=accounts,dc=lab,dc=int cn: vpnipa objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2 gidNumber: 1000000004 member: uid=ipatest,cn=users,cn=accounts,dc=lab,dc=int
- Status changed from Resolved to Feedback
it works only if parent container is selected in the Authentication containers field, i.e.:
Authentication containers = cn=accounts,dc=lab,dc=int
but if cn=users,cn=accounts,dc=lab,dc=int and cn=groups,cn=accounts,dc=lab,dc=int is selected in the Authentication containers field, it doesn't work
- Status changed from Feedback to New
I reverted e924485c9e681771806fe3ee63ed746152fcbcb9 -- Previously working LDAP servers started to fail with no change in configuration. All attempts to bind resulted in "Extended group search resulted in error: Bad search filter"
Status changed from New to Pull Request Review
Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Assignee changed from Renato Botelho to Steve Powers
Status changed from Feedback to Resolved
Tested against FreeIPA. Looks like it works great. Thank you!
- Related to Bug #13093: LDAP authentication fails with extended query and RFC2307 group lookups enabled added