Need help with Active Directory configuration
-
Could you please post a picture of your updated lDAP auth page.
As I understand it, you have created a user in AD, and you have added that user the "account operators" group, so that is all the prerequisites taken care of. Thus it must be your settings.
-
By IDAP you mean my pfsense configuration right? I have attached that. The pfsense user is in AD in the Rotuer Admins, Domain Users, Account Operators. There is no pfsense user on the router but I do have an Router Admins group.
-
Hi
1: The USERS folder in AD is actually not an OU but a Container (CN), so the proper path for authentication container would be: CN=Users,DC=Gamer,DC=local
2: Can't recall if domain\ notation works. I use user@gamer.local for the username.
That should work and sorry about the late replies :-)
-
Hi
1: The USERS folder in AD is actually not an OU but a Container (CN), so the proper path for authentication container would be: CN=Users,DC=Gamer,DC=local
2: Can't recall if domain\ notation works. I use user@gamer.local for the username.
That should work and sorry about the late replies :-)
Still not working - if I hit select beside Authentication containers I should be able to connect, correct? I cannot.
-
Okay, thats really weird. Are you sure the user you entered can logon to your AD (try login on a workstation or connect to a share with that login)?
Are you sure you entered the correct address for you domain controller?
Are you sure LDAP unencrypted on 389 is open on your domain controller? -
OP, assuming your DC is at 192.168.80.100 and your domain is "gamer.local", it looks like you're close. Just wanted to share what I see from my working config and yours. Lets get it connected first, then you can refine it if necessary:
-
No Peer Certificate Authority configured. (This probably doesn't matter, but it's something I see that's different)
-
Your Authentication containers should read…. "CN=Users,DC=gamer,DC=local"
-
Under Bind credentials, for "User DN:" enter the short name (e.g. DOMAIN\User)… i.e. use "gamer\administrator"
-
Enter the password for the "administrator" account
-
Click Save
All of your other options are identical to mine. At this point, you should be able to click on the "Select" button in the "Authentication containers" section and it should pull up all of your current containers and OU's.
-
-
Ok using an account with domain admin privs allowed me to connect. I then clicked in select on authentication containers and choose CN=Users,DC=gamer,DC=local. After that I clicked on Diagnostics >> Authentication and tested connecting with the same admin user which worked and told me that user was part of the "Router Admins" group. I had added that user to that group while setting the initial AD config.
So thanks! Should there be any settings I should invest in configuring to help lock down AD access?
-
With the current config you are not testing if a user is a member of a the "router admins" group. You are simply testing if the user exists in the USERS container in AD.
If you want to test for group membership you need to use the extended query feature tto check the MemberOF attribute. -
With the current config you are not testing if a user is a member of a the "router admins" group. You are simply testing if the user exists in the USERS container in AD.
If you want to test for group membership you need to use the extended query feature tto check the MemberOF attribute.I'm still pretty new to LDAP notation. Can you tell me what my extended query string should look like?
-
Also, I still cannot actually log in with the AD admin user. Not sure what else I need to configure.
-
Also, I still cannot actually log in with the AD admin user.
Cannot log in where? You know, this works just fine here for the WebGUI, with RouterAdmins AD group, and same pfS local group with proper permissions assigned. Worked in 2.1.x, still works with 2.2. Also working for OpenVPN + Radius/AD.
Post some logs/info, nothing to work with here!
-
Also, I still cannot actually log in with the AD admin user.
Cannot log in where? You know, this works just fine here for the WebGUI, with RouterAdmins AD group, and same pfS local group with proper permissions assigned. Worked in 2.1.x, still works with 2.2. Also working for OpenVPN + Radius/AD.
Post some logs/info, nothing to work with here!
Can't log in to the pfsense web admin page with the admin AD user I created that works with the bind credentials parameter. What log do you want me to post?
