so after a bit of playing around i ended up figuring out how to get it working. i'm not the best with certs but here is a video for how to configure:
https://www.youtube.com/watch?v=kHXRvdLpXmk
steps:
list itemBefore anything, follow the instructions on JumpCloud for setting up LDAP and binding a user to LDAP: https://support.jumpcloud.com/support/s/article/using-jumpclouds-ldap-as-a-service1
The following command outputs the certificate authority to the /tmp/ directory as jumpcloud.chain.pem.
echo -n | openssl s_client -connect ldap.jumpcloud.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/jumpcloud.chain.pem
Skip the first certificate of the chain.
Add the next 3 certificates in the chain individually as Certificate Authorities in pfSense using the following settings:
System > Cert. Manager > CAs tab > Add
Descriptive name: JumpCloud CA (add a 1, 2, and 3 after each certificate)
Method: Import an Existing Ceritifcate Authority
Trust Store: check this box
Randomize Serial: check this box
Certificate Data: paste the single certificate here
Save
The following command outputs only the JumpCloud LDAP Server certificate to the /tmp/ directory as jumpcloud.ldap.pem
echo -n | openssl s_client -connectldap.jumpcloud.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/jumpcloud.ldap.pem
Add the Server Certificate to pfSense.
System > Cert. Manager > Certificates tab > Add/Sign
Method: Import an Existing Certificate
Descriptive name: JumpCloud Server Certificate
Certificate data: paste the certificate here
Save
If you don't have a JumpCloud account set up and bound to LDAP, you'll need to do that first.
You can use your account or create a new user. There only needs to be one bound account but there can be multiple.
In JumpCloud:
Users > Select the user you'd like bound to LDAP > User Security Settings and Permissions > check the Enable as LDAP Bind DN box and Save user
LDAP > Add a new LDAP server > Add the user groups or users
Create the LDAP Server in pfSense
NOTE: you can get YOUR_ORG_ID from JumpCloud's Settings page
System > User Manager > Authentication Servers tab > Add
LDAP Server Settings:
Type: LDAP
Hostname or IP Address: ldap.jumpcloud.com
Port Value: 636 (SSL)
Transport: SSL - Encrypted
Peer Certificate Authority: JumpCloud LDAPS SSL Client Certificate
Protocol Version: 3
Search Scope - Level: Entire Subtree
Search Scope - Base DN: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Authentication Containers: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Extended Query: &(objectClass=inetOrgPerson)(uid=*)
Bind Credentials - User DN: uid= ldap-binding user,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Bind Credentials - Password: ldap-binding-user's-password
User Naming Attribute: uid
Group Naming Attribute: cn
Group Member Attribute: memberOf
Group Object Class: groupOfNames
Save
Test the authentication in pfSense
Diagnostics > Authentication > LDAP
put in your user name and password and click Test
You should see a green box indicating success
Setting up OpenVPN:
Type of Server: LDAP
LDAP servers: Choose the JumpCloud LDAP server you created in the previous steps
Certificate Authority: choose the OpenVPN authority you created earlier
Certificate: Choose the OpenVPN certificate you created earlier
Change any other settings to your liking and you're all set.
