search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.36k stars 753 forks source link

LDAP using Google can not get the memberOf attribute #6979

Closed abdbtrgit closed 6 months ago

abdbtrgit commented 1 year ago

When using google LDAP I noticed that I can not get the memberOf attribute. so I tried ldapsearch and it was ok and I have gotten the memberOf attribute.

I reviewed the LDAP authenticate function code an noticed that it will make two connections to the LDAP server:

else { // we don't know this users distinguished name, try to find it if ($this->connect($this->ldapBindURL, $this->ldapBindDN, $this->ldapBindPassword)) { $result = $this->searchUsers($username, $this->ldapAttributeUser, $this->ldapExtendedQuery); if ($result !== false && count($result) > 0) { $user_dn = $result[0]['dn']; $ldap_is_connected = $this->connect($this->ldapBindURL, $result[0]['dn'], $password); } else { $this->lastAuthErrors['error'] = "User DN not found"; } } }

the bind user has permissions to read the group information while the login user does not have.

the issue is the connect function will update the ldaphandle variable which will reference to the second connection which in my situation does not have access to the group information.

so for quick fix I just create another new connection with the bind user. else { // we don't know this users distinguished name, try to find it if ($this->connect($this->ldapBindURL, $this->ldapBindDN, $this->ldapBindPassword)) { $result = $this->searchUsers($username, $this->ldapAttributeUser, $this->ldapExtendedQuery); if ($result !== false && count($result) > 0) { $user_dn = $result[0]['dn']; $ldap_is_connected = $this->connect($this->ldapBindURL, $result[0]['dn'], $password); $this->connect($this->ldapBindURL, $this->ldapBindDN, $this->ldapBindPassword); } else { $this->lastAuthErrors['error'] = "User DN not found"; } } }

OPNsense-bot commented 1 year ago

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

OPNsense-bot commented 6 months ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.