Hi folks!  I tried searching the list but didn’t see anything promising...

I had LDAP auth setup and working great on the Community version, but as soon as I upgraded to Professional (version 0.15.3.6343), it ceased allowing logins.  

A debug of the login shows:


LDAP[Connecting to xxx.xxx.xxx.xxx]
LDAP[Connected]
LDAP[Referrals][Disabled]
LDAP[Version][Set to 3]
LDAP[Bind DN called]
LDAP[Bind][cn=manager,ou=Internal,dc=example,dc=com]
LDAP[Filter][(uid=testuser)][ou=Users,ou=Accounts,dc=example,dc=com]
LDAP[Authenticate][User: testuser][Bind user: cn=Test User,ou=Users,ou=Accounts,dc=example,dc=com]
LDAP[Authenticate][Comparing: cn=admins,ou=Groups,ou=Accounts,dc=example,dc=com][member=cn=Test User,ou=Users,ou=Accounts,dc=example,dc=com]
LDAP[Authenticate][Compare LDAP error: No such object]

So this part looked a bit strange to me:

LDAP[Authenticate][Comparing: cn=admins,ou=Groups,ou=Accounts,dc=example,dc=com][member=cn=Test User,ou=Users,ou=Accounts,dc=example,dc=com]

(notice the strange "member=cn=…" part)

My config is:

// Begin LDAP Config
$config['auth_mechanism'] = "ldap";
$config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_binddn'] = "cn=manager,ou=Internal,dc=example,dc=com";
$config['auth_ldap_bindpw'] = “PASSWORD_HERE";
$config['auth_ldap_attr']['uid'] = "uid";
$config['auth_ldap_attr']['uidNumber'] = "uidNumber";
$config['auth_ldap_attr']['cn'] = "cn";
$config['auth_ldap_objectclass'] = "inetOrgPerson";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = “LDAP_SERVER_IP";
$config['auth_ldap_port']   = 389;
$config['auth_ldap_prefix'] = "cn=";
$config['auth_ldap_suffix'] = ",ou=Users,ou=Accounts,dc=example,dc=com";
$config['auth_ldap_group']  = array("cn=admins,ou=Groups,ou=Accounts,dc=example,dc=com");
$config['auth_ldap_groupbase'] = "ou=Groups,ou=Accounts,dc=example,dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['admins']['level'] = 10;
// End LDAP Config

Again, this same config works like a champ on the community edition.  Did something change with LDAP auth in the professional edition?  Am I missing something?

Thanks!

—George

George Phillips
www.pfsense.org