LDAP Auth and FreeIPA 4.4.1

chock-a-block

I posted this less complete in another sub-forum and thought it might be helpful here.

Just FYI, there is only one way to use FreeIPA on Pfsense 2.3.4.  Maybe you can do it more simply, but this is what worked for me. Warning, if you aren't familiar with kerberos and LDAP, this will not be easy.  I make plenty of assumptions and probably skip some things that might not be clear to others.

Before you configure the LDAP setup:
I set up a group using the freeipa web interface called fw_admins and added my account to that group.
Set up a local group with the exact same name in pfsense.

For ease of visualization, you can dump the LDAP schema: ldapsearch -h my-freeipa-server:389 -x -b 'dc=my-domain,dc=com'  -s sub "(objectclass=*)" > ldap-dump.txt

You need to connect to FreeIPA's LDAP server over ssl using freeipa signed cert. That means setting up FreeIPA as a certificate authority on your pfsense firewall.  It also means generating a private key for the firewall and a certificate signing request.  You then submit the CSR to FreeIPA.

openssl req -out myFW-csr.csr -new -newkey rsa:2048 -nodes -keyout myFW-private.pem
kinit admin  ##remember, this is kerberos
ipa cert-request ./myFW-csr.csr –add

ipa cert-request will prompt you for a principal.  For example host/myfw.mydomain.com

You can then use the FreeIPA web gui to copy/paste relevant information out of FreeIPA for the newly added host, myFW.  That includes adding the freeIPA self-signed cert to your firewall.

Add a new authentication server.
You are going to connect to freeIPA over ssl, so use the fully qualified hostname of the freeipa server in the "Hostname or IP address" box.

Search scope: Entire subtree
The base DN field needs to look something like this: dc=my-domain,dc=com
Authentication containers: cn=accounts

Check "enable extended query"

Query: memberOf=cn=fw_admins,cn=groups,cn=accounts,dc=mydomain,dc=com

DISABLE Anonymous Bind.  You must disable anonymous bind this to get extended search to work.

Fill in bind credentials.  cn="Directory Manager" is sure to work in the first box. The second box is password. After you get things working, you should not be using Directory Manager to search.

User naming attribute:uid
Group naming attribute:cn
Group member attribute: memberUid
Group Object Class: posixGroup

Enable RFC 2307 Groups

Test the LDAP lookup under Diagnostics>Authentication.  If it works, it will return a list of groups with which you belong.  It's very important the diagnostic page return a list of groups.  In this case, it returns at least fw_admins.

EDITED on 7/26 with working setup.  Prior post had a setup that only worked a little.

chock-a-block2

@chock-a-block A 2018 update for pfSense 2.4.3-RELEASE-p1:

The bind credentials field no longer accepts double quotes and silently fails.

Instead of cn="Directory Manager" it's now cn=Directory Manager.

As always, using that account is horrible practice in production. It should get you started.

wglenboyd

I a bit new, getting my pfSense and FreeIPA setup. The above stuff "mostly" works, but I have a few comments / questions.

For example, in the bind credentials field, who else should I be using and what designation. If I use something like cn=admin it doesn't work. Actually, I can't get anything besides cn=Directory Manager to work.

Also, for the SSL credential creation. What would be a good set of working answers to get the damn thing to work?