Merge c5390c53bb into cb9a5d6d69

2026-05-28 04:34:15 -04:00 · 2026-05-25 09:42:18 +08:00 · 2026-05-25 09:42:18 +08:00 · 71357e87f5
commit 71357e87f5
parent cb9a5d6d69 c5390c53bb
3 changed files with 19 additions and 1 deletions
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
@ -65,4 +65,10 @@
        <type>text</type>
        <help>Filter for group objects, should match all available group objects a user might be a member of.</help>
    </field>
+    <field>
+        <id>ldap.group_membership_mode</id>
+        <label>Group Membership Mode</label>
+        <type>dropdown</type>
+        <help>How FreeRADIUS checks LDAP group membership. Use "member filter" for Active Directory or Samba 4 with nested groups (uses LDAP_MATCHING_RULE_IN_CHAIN OID for transitive lookup).</help>
+    </field>
 </form>
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@ -1,7 +1,7 @@
 <model>
    <mount>//OPNsense/freeradius/ldap</mount>
    <description>LDAP configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
    <items>
        <innertunnel type="BooleanField">
            <Default>0</Default>
@ -47,5 +47,13 @@
            <Default>(objectClass=posixGroup)</Default>
            <Required>N</Required>
        </group_filter>
+        <group_membership_mode type="OptionField">
+            <Default>attribute</Default>
+            <Required>Y</Required>
+            <OptionValues>
+                <attribute>memberOf attribute (POSIX / flat groups)</attribute>
+                <filter>member filter (Active Directory / Samba 4 nested groups)</filter>
+            </OptionValues>
+        </group_membership_mode>
    </items>
 </model>
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
@ -85,7 +85,11 @@ ldap {
 {%     if helpers.exists('OPNsense.freeradius.ldap.group_filter') and OPNsense.freeradius.ldap.group_filter != '' %}
                filter = "{{ OPNsense.freeradius.ldap.group_filter }}"
 {%     endif %}
+{%     if helpers.exists('OPNsense.freeradius.ldap.group_membership_mode') and OPNsense.freeradius.ldap.group_membership_mode == 'filter' %}
+                membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
+{%     else %}
                membership_attribute = 'memberOf'
+{%     endif %}
        }
        profile {
        }