At our organisation we have a central LDAP database that contains administrative information. For Unix purposes, it's only useful for PAM auth, as its schema does not contain the requisite Posix attributes required by Unix accounts. Nevertheless, it is still very useful for password authentication because the 24/7 service our organisation provides for password reset and management can be leveraged when authenticating against this LDAP source.
On my FreeBSD and Linux servers, this means I can have the PAM auth component for services in pam.d work to do password authentication using the user's organisation password, yet all the account data still comes from local accounts on the system. The upshot is that if the user forgets his or her password, they don't come to me, they go to the organisational 4HELP. :-) Is it possible to use this kind of setup on pfSense 2? It almost seems to work for me, but maybe I am doing something wrong. The authentication part works, but, because there are no "Group" attributes in our central LDAP, the user seems to become a member of no groups when logging in. This appears to throw pfSense for a loop. :-) It would be nice if pfSense would fall back to Local Database attributes when LDAP doesn't provide them, or, maybe better still, if a new "blended" authentication method of "LDAP auth + Local Database Attributes" was available that used LDAP for auth but the Local Database for account information such as real name, groups, etc. This latter approach is how applications such as Redmine use LDAP authentication. Cheers, Paul. _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list