<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi,<div class=""> </div><div class="">I have just got authentication against my FreeIPA system working by following this: <a href="https://ask.fedoraproject.org/en/question/63089/how-can-i-integrate-freeipa-with-pfsense-for-authentication/" target="_blank" style="color: rgb(0, 0, 0); font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(250, 250, 250);" class="">https://ask.fedoraproject.org/en/que...uthentication/</a> The only change I had to make was to set the Search Scope level to "entire subtree" and I also left the extended query unchecked... With that setup I am able to authenticate using "Diagnostics->Authentication". I really want to restrict access so I can use FreeIPA for our VPN auth so I tried using the following extended query but it fails: &(memberOf=cn=admins,cn=groups,cn=accounts,dc=doma in,dc=com) Looking in pfSense logs, using the extended query (fails): [24/Aug/2016:11:07:16 -0700] conn=1396 fd=116 slot=116 SSL connection from * to * [24/Aug/2016:11:07:16 -0700] conn=1396 TLS1.2 256-bit AES-GCM [24/Aug/2016:11:07:16 -0700] conn=1396 op=0 BIND dn="" method=128 version=3 [24/Aug/2016:11:07:16 -0700] conn=1396 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Aug/2016:11:07:16 -0700] conn=1396 op=1 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 filter="(&(uid=user)(&(memberOf=cn=admins,cn=group s,cn=accounts,dc=domain,dc=com)))" attrs=ALL [24/Aug/2016:11:07:16 -0700] conn=1396 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Aug/2016:11:07:16 -0700] conn=1396 op=2 UNBIND [24/Aug/2016:11:07:16 -0700] conn=1396 op=2 fd=116 closed - U1 Without the query (success): [30/Aug/2016:10:23:25 -0700] conn=6432 fd=110 slot=110 SSL connection from * to * [30/Aug/2016:10:23:25 -0700] conn=6432 TLS1.2 256-bit AES-GCM [30/Aug/2016:10:23:25 -0700] conn=6432 op=0 BIND dn="" method=128 version=3 [30/Aug/2016:10:23:25 -0700] conn=6432 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [30/Aug/2016:10:23:25 -0700] conn=6432 op=1 SRCH base="cn=compat,dc=domain,dc=com" scope=2 filter="(uid=user1)” attrs=ALL [30/Aug/2016:10:23:25 -0700] conn=6432 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [30/Aug/2016:10:23:25 -0700] conn=6432 op=2 BIND dn="uid=user1,cn=users,cn=compat,dc=domain,dc=com " method=128 version=3 [30/Aug/2016:10:23:25 -0700] conn=6432 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user1,cn=users,cn=accounts,dc=domain,dc=co m" [30/Aug/2016:10:23:25 -0700] conn=6433 fd=118 slot=118 SSL connection from * to * [30/Aug/2016:10:23:25 -0700] conn=6432 op=3 UNBIND [30/Aug/2016:10:23:25 -0700] conn=6432 op=3 fd=110 closed - U1 [30/Aug/2016:10:23:25 -0700] conn=6433 TLS1.2 256-bit AES-GCM [30/Aug/2016:10:23:25 -0700] conn=6433 op=0 BIND dn="" method=128 version=3 [30/Aug/2016:10:23:25 -0700] conn=6433 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [30/Aug/2016:10:23:25 -0700] conn=6433 op=1 SRCH base="uid=user1,cn=users,cn=compat,dc=domain,dc=co m" scope=2 filter="(uid=user1)” attrs="memberOf" [30/Aug/2016:10:23:25 -0700] conn=6433 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [30/Aug/2016:10:23:25 -0700] conn=6433 op=2 UNBIND [30/Aug/2016:10:23:25 -0700] conn=6433 op=2 fd=118 closed - U1 <div class=""> </div><div class="">I changed the cn from accounts to compat for the auth container, but that doesn't make a difference. The last search shows attrs="memberOf", but anytime I add an extended query the logs show attrs="all", not sure if that means anything. I tried adding the full memberOf path under the group member attribute, but that didn't restrict access although the auth is still success. [30/Aug/2016:10:42:12 -0700] conn=6460 op=1 SRCH base="uid=user3,cn=users,cn=compat,dc=domain,dc=co m" scope=2 filter="(uid=user3)" attrs="memberof=cn=admins,cn=groups,cn=compat,dc=d omain,dc=com" [30/Aug/2016:10:42:12 -0700] conn=6460 op=1 RESULT err=0 tag=101 nentries=1 etime=0 When doing an ldapsearch, I can see the group: # admins, groups, compat, <a href="http://domain.com" class="">domain.com</a> dn: cn=admins,cn=groups,cn=compat,dc=domain,dc=com ipaAnchorUUID:: gidNumber: 50000 memberUid: admin memberUid: user1 memberUid: user2 objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top cn: admins Any help would be greatly appreciated.</div></div><div class=""> </div><div class="">Cheers,</div><div class="">Mike</div></body></html>