LDAP Auth and FreeIPA 4.4.1

  • I posted this less complete in another sub-forum and thought it might be helpful here.

    Just FYI, there is only one way to use FreeIPA on Pfsense 2.3.4.  Maybe you can do it more simply, but this is what worked for me. Warning, if you aren't familiar with kerberos and LDAP, this will not be easy.  I make plenty of assumptions and probably skip some things that might not be clear to others.

    Before you configure the LDAP setup:
    I set up a group using the freeipa web interface called fw_admins and added my account to that group.
    Set up a local group with the exact same name in pfsense.

    For ease of visualization, you can dump the LDAP schema: ldapsearch -h my-freeipa-server:389 -x -b 'dc=my-domain,dc=com'  -s sub "(objectclass=*)" > ldap-dump.txt

    You need to connect to FreeIPA's LDAP server over ssl using freeipa signed cert. That means setting up FreeIPA as a certificate authority on your pfsense firewall.  It also means generating a private key for the firewall and a certificate signing request.  You then submit the CSR to FreeIPA.

    openssl req -out myFW-csr.csr -new -newkey rsa:2048 -nodes -keyout myFW-private.pem
    kinit admin  ##remember, this is kerberos
    ipa cert-request ./myFW-csr.csr –add

    ipa cert-request will prompt you for a principal.  For example host/myfw.mydomain.com

    You can then use the FreeIPA web gui to copy/paste relevant information out of FreeIPA for the newly added host, myFW.  That includes adding the freeIPA self-signed cert to your firewall.

    Add a new authentication server.
    You are going to connect to freeIPA over ssl, so use the fully qualified hostname of the freeipa server in the "Hostname or IP address" box.

    Search scope: Entire subtree
    The base DN field needs to look something like this: dc=my-domain,dc=com
    Authentication containers: cn=accounts

    Check "enable extended query"

    Query: memberOf=cn=fw_admins,cn=groups,cn=accounts,dc=mydomain,dc=com

    DISABLE Anonymous Bind.  You must disable anonymous bind this to get extended search to work.

    Fill in bind credentials.  cn="Directory Manager" is sure to work in the first box. The second box is password. After you get things working, you should not be using Directory Manager to search.

    User naming attribute:uid
    Group naming attribute:cn
    Group member attribute: memberUid
    Group Object Class: posixGroup

    Enable RFC 2307 Groups

    Test the LDAP lookup under Diagnostics>Authentication.  If it works, it will return a list of groups with which you belong.  It's very important the diagnostic page return a list of groups.  In this case, it returns at least fw_admins.

    EDITED on 7/26 with working setup.  Prior post had a setup that only worked a little.

  • @chock-a-block A 2018 update for pfSense 2.4.3-RELEASE-p1:

    The bind credentials field no longer accepts double quotes and silently fails.

    Instead of cn="Directory Manager" it's now cn=Directory Manager.

    As always, using that account is horrible practice in production. It should get you started.