Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2

    Scheduled Pinned Locked Moved OpenVPN
    28 Posts 11 Posters 56.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GruensFroeschliG
      GruensFroeschli
      last edited by

      stickied :)

      To point 2:
      2. Edit the oppenvpn_server conf in /var/etc for the instance you want to auth against LDAP, adding the line: plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf

      Couldnt you add this line to the "custom commands" box?

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • M
        minus
        last edited by

        A fine point :) Edited to reflect that.

        1 Reply Last reply Reply Quote 0
        • Z
          Zeenix
          last edited by

          I am having some problems with the installation on pfSense 1.2.2

          I have done the following from SSH:

          #setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/
          #pkg_add -r openvpn-auth-ldap
          #pkg_add -r gcc43
          #pkg_add -r gmake
          #pkg_add -r texinfo
          #ln -s /usr/local/lib/gcc-4.3.4/libobjc.so.2 /usr/local/lib/libobjc.so.3

          Created the file ‘/usr/local/etc/openvpn-auth-ldap.conf’

          Added the following under ‘Custom options’ from within the WebGUI and OpenVPN Server:

          plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf

          However, I get the following error:
          Apr 30 12:32:17 openvpn[6946]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
          Apr 30 12:32:17 openvpn[6946]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-ldap.so: Shared object "libgssapi.so.9" not found, required by "libldap-2.4.so.6": Invalid argument (errno=22)
          Apr 30 12:32:17 openvpn[6946]: Exiting

          1 Reply Last reply Reply Quote 0
          • S
            selfunemployed
            last edited by

            I am experiencing the exact problem above with libgssapi.so.9 not found.

            Has anyone resolved this issue?

            1 Reply Last reply Reply Quote 0
            • Z
              Zeenix
              last edited by

              I did not manage to get it working with 1.2.2 so I tried with the newly released 1.2.3-RC1 and everything is working great now  :)

              1.2.3-RC1 have been very stable for me, have not been down ones since I installed it on two locations. They are both connected with ipsec vpn and one of them have OpenVPN with around 25 users.

              The number One Firewall …

              1 Reply Last reply Reply Quote 0
              • M
                mikenchi
                last edited by

                I'm guessing this is not possible on embedded version correct?

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  On the embedded version, everything is possible that is availlable on the full version.
                  The only difference is, that the packages manager is disabled and the filesystem is mounted read only.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • A
                    afvadmin
                    last edited by

                    by having the clients type in a user name and password would this give them more privileges like if they were physically on the network eg if i am just a domain user i would have basic privileges so i wouldn't have access to files that can be accessed by administrators

                    1 Reply Last reply Reply Quote 0
                    • V
                      vito
                      last edited by

                      If anyone is intrested, the auth-ldap.conf code below should work with Active Directory.
                      A few things were modified from the code on the OP link, so backup your current conf file if you have one.
                      I did a quick test against a SBS2003 server.
                      I added a Security group Called "OpenVPNUsers" and added users to that group for OpenVPN Access.
                      So, the user will need to be part of that group for OpenVPN Access
                      I need to test a bit more when i am off site next…but it seemed to work fine first time around.

                      Somewhere in another thread it was noted that people are using the administrator account for AD Lookups, if you are, please change to a non admin account.
                      I would also change your administrator password if you have been using it for look ups

                      You should also add this line to your clients if you do not want your passwords cached on the client side.
                      auth-nocache

                      KEY Fields are in BOLD: Make sure you add your info for the URL, cn=BindUser, BindUserPassWord, and SearchFilter for the group name

                      <ldap># LDAP server URL
                             URL             ldap://Enter Your DC IP /Hostname here

                      # Bind DN (If your LDAP server doesn't support anonymous binds)
                             BindDN         cn=BindUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local

                      # Bind Password
                             Password      BindUserPassWord

                      # Network timeout (in seconds)
                             Timeout         15

                      # Enable Start TLS
                             # TLSEnable       no

                      # Follow LDAP Referrals (anonymously)
                             FollowReferrals no

                      # TLS CA Certificate File
                             TLSCACertFile   /usr/local/etc/ssl/ca.pem

                      # TLS CA Certificate Directory
                             TLSCACertDir    /etc/ssl/certs

                      # Client Certificate and key
                             # If TLS client authentication is required
                             TLSCertFile     /usr/local/etc/ssl/client-cert.pem
                             TLSKeyFile      /usr/local/etc/ssl/client-key.pem

                      # Cipher Suite
                             # The defaults are usually fine here
                             # TLSCipherSuite        ALL:!ADH:@STRENGTH</ldap>

                      <authorization># Base DN
                             BaseDN          "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local"

                      # User Search Filter
                             SearchFilter    "sAMAccountName=%u"

                      # Require Group Membership
                             RequireGroup    true

                      # Add non-group members to a PF table (disabled)
                             #PFTable        ips_vpn_users

                      <group>BaseDN          "OU=Security Groups,OU=MyBusiness,DC=domain,DC=local"
                                    SearchFilter    "CN=OpenVPNUsers"
                                     MemberAttribute Member
                                     # Add group members to a PF table (disabled)
                                     #PFTable        ips_vpn_eng</group></authorization>

                      Tested with PFSense 1.2.3 RC3

                      1 Reply Last reply Reply Quote 0
                      • R
                        Ritmo2k
                        last edited by

                        It would seem that in 1.2.3 Release, the gcc43 package lacks the required libobjc.so.2.

                        # pkg_add -r gcc42
                        # find / -name "*libobjc*"
                        /usr/local/lib/gcc-4.2.5/libobjc.so.2
                        /usr/local/lib/gcc-4.2.5/libobjc.so
                        /usr/local/lib/gcc-4.2.5/libobjc.a
                        # ln -s /usr/local/lib/gcc-4.2.5/libobjc.so.2 /usr/local/lib/libobjc.so.3
                        
                        # pkg_add -r openvpn-auth-ldap
                        

                        This also avoids the "libgssapi.so.9 not found" issue some other methods seem to produce.

                        1 Reply Last reply Reply Quote 0
                        • E
                          eureka
                          last edited by

                          Hi all,
                          Ive got a solution to this issue with the libgssapi problems. Ill post it back later tonight after i get a chance to write it up.

                          1 Reply Last reply Reply Quote 0
                          • R
                            Ritmo2k
                            last edited by

                            eureka,
                            Any news ion that solution, I have seen it a few times now, with no reason as to why it may or may not happen.

                            1 Reply Last reply Reply Quote 0
                            • E
                              eureka
                              last edited by

                              Here's the simple solution.
                              Install the following package. (from pfsense ssh/console)
                              pkg_add -r heimdal
                              Fix the link on your system.  (from pfsense ssh/console)
                              ln -s /usr/local/lib/libgssapi.so.2 /usr/local/lib/libgssapi.so.9

                              Restart your OpenVPN server. Make sure your connection to your LDAP server is setup correctly.
                              I have this working now in a soon-to-be production system connecting to a currently production ldaps system.

                              Explanation.
                              For whatever reason the libgssapi package is not already installed and is not getting installed on most systems using the "default" pfsense repositories set on your system. I did not want to change my repos as it can mess up dependencies for other packages or things you have installed or will install later. This solution will work on a full default-stock pfsense install of 1.2.3 stable.

                              Full start-to-finish setup.
                              http://fusionnetwork.us/index.php/component/content/article/15-general-tutorials/31-howto-setup-openvpn-with-ldap-integration-on-pfsense-123

                              1 Reply Last reply Reply Quote 0
                              • F
                                federicoha
                                last edited by

                                I try to make my current openvpn add a ldap authenticate.

                                For testing, i download a vmware image of 1.2.3 version of pfsense, configure a similar openvpn and work OK.

                                Follow the steps in the eureka link (http://fusionnetwork.us/index.php/component/content/article/15-general-tutorials/31-howto-setup-openvpn-with-ldap-integration-on-pfsense-123), and work ok without the line of plugin.

                                If i put the plugin line

                                plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf
                                

                                then openvpn doesnt start:

                                Apr 19 13:31:05 	openvpn[1135]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Apr 16 2009
                                Apr 19 13:31:03 	openvpn[428]: SIGTERM[hard,] received, process exiting
                                Apr 19 13:31:03 	openvpn[428]: /etc/rc.filter_configure tun0 1500 1542 192.168.7.1 192.168.7.2 init
                                Apr 19 13:31:03 	openvpn[428]: event_wait : Interrupted system call (code=4)
                                

                                Dont understan what happend, but for try only, change the openvpn-auth-ldap.so to openvpn-auth-pam.so and the openvpn start, but not function the authenticate.

                                Install all pkg that eureka says. Someone can make function openvpn with ldap with this tutorial?
                                Why openvpn cant start?

                                Thanks for your help.

                                Regards.

                                1 Reply Last reply Reply Quote 0
                                • E
                                  eureka
                                  last edited by

                                  Thats an interesting error!
                                  Try reinstalling openvpn. That may solve the issue.

                                  From Command line run the following:
                                  pkg_add -r openvpn

                                  That should force a reinstall of the openvpn package and its needed packages… Let me know if this fixes things for you.
                                  If not i can try to create a vhost image for you to check out. It could be something setup in the vhost image you are using possibly.

                                  -E

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    federicoha
                                    last edited by

                                    eureka, thanks for your answer..

                                    I try what you suggest, but cannnot reinstall openvpn

                                    # pkg_add -r openvpn
                                    Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
                                    pkg_add: package 'openvpn-2.0.6_9' or its older version already installed
                                    #                                                                               
                                    

                                    i try force reinstall, but always tell me the same

                                    # pkg_add -F -r openvpn
                                    Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
                                    pkg_add: package 'openvpn-2.0.6_9' or its older version already installed (ignored)
                                    

                                    Btw, try to connect the client again if something changes, but cannot…

                                    Can we try with the vhost you tell me?

                                    Thanks in advance.

                                    Regards.

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eureka
                                      last edited by

                                      Ill see what I can do to get a vhost setup for you to play with.
                                      Do you prefer vmware or xen?

                                      -E

                                      @federicoha:

                                      eureka, thanks for your answer..

                                      I try what you suggest, but cannnot reinstall openvpn

                                      # pkg_add -r openvpn
                                      Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
                                      pkg_add: package 'openvpn-2.0.6_9' or its older version already installed
                                      #                                                                               
                                      

                                      i try force reinstall, but always tell me the same

                                      # pkg_add -F -r openvpn
                                      Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
                                      pkg_add: package 'openvpn-2.0.6_9' or its older version already installed (ignored)
                                      

                                      Btw, try to connect the client again if something changes, but cannot…

                                      Can we try with the vhost you tell me?

                                      Thanks in advance.

                                      Regards.

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        federicoha
                                        last edited by

                                        Vmware please if you can.

                                        Thanks.

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          eureka
                                          last edited by

                                          Hi,
                                          Ive uploaded a virtual appliance of this here.

                                          www.fusionnetwork.us/tutorials/uploads/pfsense/PfSense_withOpenVPN_LDAP.zip

                                          This should work once you configure the ldap side of things correctly. If you still are having problems please post back. Also… Sorry this took so long to upload... Work is crazy o.0

                                          -E

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            federicoha
                                            last edited by

                                            Eureka, thanks for your time…

                                            I download your appliance and work ok, only have problem right now with the connection to AD, but is my problem now :)

                                            When i get to work, i let you know...

                                            Thanks for your help again...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.