upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

freeradius: add configurable LDAP group membership mode

Browse source 
Adds `group_membership_mode` to the LDAP settings (model, form, template):

- `attribute` (default): `membership_attribute = 'memberOf'` — existing
  behaviour, compatible with POSIX groups and flat LDAP structures.
- `filter`: `membership_filter` with LDAP_MATCHING_RULE_IN_CHAIN OID
  (1.2.840.113556.1.4.1941) — resolves nested group membership against
  Active Directory and Samba 4 AD DC in a single LDAP query.

The `memberOf` attribute reflects only direct memberships, breaking
`Ldap-Group ==` checks (e.g. VLAN assignment) when groups are nested.
The OID-based filter traverses the full membership chain server-side.

Default is `attribute`; existing configurations are unaffected.

Tested with Samba 4.24 AD DC and FreeRADIUS 3.2 (os-freeradius plugin).
This commit is contained in:
Jurek Kołosowski 2026-05-08 20:13:29 +02:00
parent 8ad516a76d
commit c5390c53bb
3 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
View file

@ -65,4 +65,10 @@
<type>text</type>
<help>Filter for group objects, should match all available group objects a user might be a member of.</help>
</field>
<field>
<id>ldap.group_membership_mode</id>
<label>Group Membership Mode</label>
<type>dropdown</type>
<help>How FreeRADIUS checks LDAP group membership. Use "member filter" for Active Directory or Samba 4 with nested groups (uses LDAP_MATCHING_RULE_IN_CHAIN OID for transitive lookup).</help>
</field>
</form>

10
net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
View file

@ -1,7 +1,7 @@
<model>
<mount>//OPNsense/freeradius/ldap</mount>
<description>LDAP configuration</description>
<version>1.0.1</version>
<version>1.0.2</version>
<items>
<innertunnel type="BooleanField">
<Default>0</Default>
@ -47,5 +47,13 @@
<Default>(objectClass=posixGroup)</Default>
<Required>N</Required>
</group_filter>
<group_membership_mode type="OptionField">
<Default>attribute</Default>
<Required>Y</Required>
<OptionValues>
<attribute>memberOf attribute (POSIX / flat groups)</attribute>
<filter>member filter (Active Directory / Samba 4 nested groups)</filter>
</OptionValues>
</group_membership_mode>
</items>
</model>

4
net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
View file

@ -85,7 +85,11 @@ ldap {
{% if helpers.exists('OPNsense.freeradius.ldap.group_filter') and OPNsense.freeradius.ldap.group_filter != '' %}
filter = "{{ OPNsense.freeradius.ldap.group_filter }}"
{% endif %}
{% if helpers.exists('OPNsense.freeradius.ldap.group_membership_mode') and OPNsense.freeradius.ldap.group_membership_mode == 'filter' %}
membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
{% else %}
membership_attribute = 'memberOf'
{% endif %}
}
profile {
}