The pfSense Store

Author Topic: LDAP and FreeIPA 4.4.1 Frustrations  (Read 216 times)

0 Members and 1 Guest are viewing this topic.

Offline chock-a-block

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
LDAP and FreeIPA 4.4.1 Frustrations
« on: July 13, 2017, 06:13:13 pm »
Just FYI, there is only one way to use FreeIPA on Pfsense 2.3.4.

You need to connect to FreeIPA over ssl using freeipa signed cert.  Maybe you can do it more simply, but this is what worked for me.

After you fill in the host, the distinguished name field needs to look something like this: cn=compat,dc=my-domain,dc=com  cn=compat matters.

Enable RFC 2307 Groups

User naming attribute:uid
Group naming attribute:cn
Group member attribute: memberUid
Group Object Class: posixGroup

The way users are set up in FreeIPA and the search method in PfSense, there's no way to filter that I could tell.  It fails on memberOf queries.  For some reason, some object classes partially work and others do not work at all.  For example, cn~=fw_admins as an extended search fails to return anything even though the query logged on the LDAP server works from ldapsearch. 

It's also important to know the "extended search" option is during the user authentication step, not filter groups.


Disabling Rfc 2307 Groups builds a different search string that fails with no way to control the attrs output.
SRCH base="cn=compat,DC=mydomain,DC=zz" scope=2 filter="(&(uid=myuser)(&(objectClass=posixGroup)(cn=fw_admins)))" attrs=ALL

A successful search string looks like this:
SRCH base="DC=mydomain,DC=zz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=myuser))" attrs="memberUid"



What happens in this scenario once you get LDAP auth working, is that any user is able to authenticate on PFSense.  However, if they don't belong to a matching pfsense local group, there is an error because their group doesn't exist.
« Last Edit: July 14, 2017, 10:26:19 am by chock-a-block »

Offline chock-a-block

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: LDAP and FreeIPA 4.4.1 Frustrations
« Reply #1 on: July 26, 2017, 05:48:27 pm »
It turns out the problem was you MUST authenticate to do an extended search.  There is no indication of denied access as anonymous user in a normal 389DS setup.  So, of course I assumed the search was permitted.  :-[

I posted revised instructions in the documentation sub-forum.
« Last Edit: July 26, 2017, 06:00:46 pm by chock-a-block »