Netgate SG-1000 microFirewall

Author Topic: LDAP and FreeIPA 4.4.1 Frustrations  (Read 98 times)

0 Members and 1 Guest are viewing this topic.

Offline chock-a-block

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
LDAP and FreeIPA 4.4.1 Frustrations
« on: July 13, 2017, 06:13:13 pm »
Just FYI, there is only one way to use FreeIPA on Pfsense 2.3.4.

You need to connect to FreeIPA over ssl using freeipa signed cert.  Maybe you can do it more simply, but this is what worked for me.

After you fill in the host, the distinguished name field needs to look something like this: cn=compat,dc=my-domain,dc=com  cn=compat matters.

Enable RFC 2307 Groups

User naming attribute:uid
Group naming attribute:cn
Group member attribute: memberUid
Group Object Class: posixGroup

The way users are set up in FreeIPA and the search method in PfSense, there's no way to filter that I could tell.  It fails on memberOf queries.  For some reason, some object classes partially work and others do not work at all.  For example, cn~=fw_admins as an extended search fails to return anything even though the query logged on the LDAP server works from ldapsearch. 

It's also important to know the "extended search" option is during the user authentication step, not filter groups.

Disabling Rfc 2307 Groups builds a different search string that fails with no way to control the attrs output.
SRCH base="cn=compat,DC=mydomain,DC=zz" scope=2 filter="(&(uid=myuser)(&(objectClass=posixGroup)(cn=fw_admins)))" attrs=ALL

A successful search string looks like this:
SRCH base="DC=mydomain,DC=zz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=myuser))" attrs="memberUid"

What happens in this scenario once you get LDAP auth working, is that any user is able to authenticate on PFSense.  However, if they don't belong to a matching pfsense local group, there is an error because their group doesn't exist.
« Last Edit: July 14, 2017, 10:26:19 am by chock-a-block »