LDAP Extended Query

ghowey

Good Morning.

I am attempting to configure OpenVPN on pfSense 2.6.0 for Domain Authentication for remote connections via LDAP(s). I have successfully created a Bind user, pfSense authenticates against the Domain with no issues. For remote connections to authenticate against the Domain I need them to be a member of a particular Security Group. For the life of me I cannot get pfSense to understand this Security Group. I have Googled and found multiple examples of Extended Queries to enumerate this Security Group. Any settings I have entered in the Extended Query field immediately kills my Bind connection.

Here is the Security Group I would like pfSense to read for user authentication:
CN=ovpn,OU=DOMAIN Security Groups,DC=domain,DC=local

Here is my current configuration:
<authserver>
<refid>639f69957b7e2</refid>
<type>ldap</type>
<name>AD Authentication</name>
<host>44dc.domain.local</host>
<ldap_port>636</ldap_port>
<ldap_urltype>SSL/TLS Encrypted</ldap_urltype>
<ldap_protver>3</ldap_protver>
<ldap_scope>subtree</ldap_scope>
<ldap_basedn><![CDATA[DC=domain,DC=local]]></ldap_basedn>
<ldap_authcn><![CDATA[DC=domain,DC=local]]></ldap_authcn>
<ldap_extended_enabled></ldap_extended_enabled>
<ldap_extended_query></ldap_extended_query>
<ldap_attr_user><![CDATA[samAccountName]]></ldap_attr_user>
<ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
<ldap_attr_member><![CDATA[memberOf]]></ldap_attr_member>
<ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
<ldap_pam_groupdn></ldap_pam_groupdn>
<ldap_timeout>25</ldap_timeout>
<ldap_caref>63a3c554cb362</ldap_caref>
<ldap_binddn><![CDATA[pfsense@domain.local]]></ldap_binddn>
<ldap_bindpw><![CDATA[w@m9mJMWj1y>tZVk]]></ldap_bindpw>
</authserver>

Any insight would be much appreciated!