LDAP parameters for OpenVPN on pfSense 2.0
-
Hey all, trying to setup LDAP authentication for OpenVPN against my SME Server LDAP, but I'm getting stuck on some of the parameters, can anyone assist?
Hostname or IP address = x.x.x.x (my SME server IP goes here)
Port value = 389
Transport = TCP-Standard
Protocol version = 3
Level: One levelBase DN = ?? (forums suggest dc=company;dc=com)
Authentication containers = ?? (again, forums suggest ou=Users;dc=company;dc=com)Bind credentials = Use anonymous ticked
Initial template = OpenLDAPUser naming attribute = ?? (default is cn)
Group naming attribute = ?? (default again is cn)
Group member attribute = ?? (default is member)Putting in dc=company;dc=com and hitting select gives me this –> http://imageshack.us/photo/my-images/200/pfsenseldap.jpg/
but Diagnostics:Authentication fails.I've got a contrib installed that lets me see my LDAP schema which results in this pic --> http://imageshack.us/photo/my-images/121/phpldapinfo.jpg/
Any advice/help appreciated!
Craig.
-
Can any members that have this working assist on this?
Thank you in advance.
-
I'm also interested. This is my next project.
-
Hi,
I have OpenVPN authenticating against my OpenLDAP server. It's not happening as I would like it to, but this may get you started:
From your jpegs the distinguishedName of your users is in the format: uid=name,ou=Users,dc=hn,dc=local
So…your BaseDN should be: ou=Users,dc=hn,dc=local
Level: One Level
Set your Authentication Container to the same: ou=Users,dc=hn,dc=local
User naming attribute should be: uid (as that is what you use!)
Group naming attribute and Group member attribute make little difference at this point.This will allow ANYONE in your ou=Users tree to log in. Which may, or more likley, may not, be what you want. And this is the problem I'm having.
I have a user with the DN of: uid=fred,ou=people,dc=example,dc=com
Setting the VPN up as above the he can connect sucessfully and the logs say:
openvpn: : Now Searching for fred in directory.
openvpn: : Now Searching in server MyLDAP, container ou=people,dc=example,dc=com with filter (uid=fred).
Logged in successfully as fred via LDAP server MyLDAP with DN = uid=fred,ou=people,dc=example,dc=com.
openvpn: user fred authenticatedI'm guessing that, like me, you want only users in your cn=pmb_vpn group to have access. From your images I can't see if your vpn group is static or dynamic. That said, I can't get either to work. I think that dynamic groups are a no-no on account of how they are searched, but I have a static group and it still doesn't work. The static group (cn=vpn,ou=groups,dc=example,dc=com) has the following members who may use the VPN:
member: uid=fred,ou=people,dc=example,dc=com
member: uid=joe,ou=people,dc=example,dc=com
etc..I set my Authentication Container to: cn=vpn,ou=groups,dc=example,dc=com
User naming attribute remains: uid
Group naming attribute: cn
Group member attribute: memberAnd I try the VPN with the user fred...but I get the following log:
openvpn: : Now Searching for fred in directory.
openvpn: : Now Searching in server MyLDAP, container cn=vpn,ou=groups,dc=example,dc=com with filter (uid=fred).
openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
openvpn: user fred could not authenticate.And the VPN doesn't authenticate :(
Ideally I need it to filter the ou=people branch with: "(&(uid=fred)(vpnUser=true))" as I have a bespoke attribute vpnUser which is either true of false for each user (that is how the dynamic vpn group was created).
-
Any news about pfSense2 authenticate against SME8 LDAP ?
I'd like to have it running SquidProxy/DansGuard authenticated!
-
Any news about pfSense2 authenticate against SME8 LDAP ?
I'd like to have it running SquidProxy/DansGuard authenticated!
Hi,
I am interested in too… (pfSense v2.0.1)
But can't get it working so far...
But keep trying...Regards,