How to use OpenLDAP members groups
-
You need to create user groups in pfSense with identical names. Then you can assign permissions to those groups and users authenticating with LDAP will inherit them if they are a member.
Steve
-
That is what i did create equal user groups thats why they show up wen i test the users the groups users and vpnusers are picked up as you can see in the image.
The thing i mis is how can i connect the vpnusers group to the openvpn server.
I have to set the ldap database ofcourse but only users in the ou=People,dc=domain,dc=org group is working wen i use the openvpn server.
It does nothing with the users or vpnusers group. -
What permissions did you set on those groups?
-
-
btw when i remove those "Assigned Privileges" i can still succesful test the ldap users with Diagnostics > Authentication
-
The authentication test itself would still work when logged in as another user.
What exactly are you seeing happen in testing?
-
In the tests i am doing in the above posts is logged in as admin and i test normal users i have created in ou=People,dc=domain,dc=org.
Then i created:
cn=users,ou=groups,dc=domain,dc=org
cn=vpnusers,ou=groups,dc=domain,dc=orgAnd added the test users, i created in ou:People, into those users and vpnusers groups as members.
-
What i would like to do is using cn=users for example to login a captive-portal and the cn=vpnusers vor login openvpn server.
-
But how are you testing the accounts? Trying to use them to log into the VPN and they fail?
Captive portal users would need to inherit the 'Services: Captive Portal Login' privilege.
-
I test the user accounts with Diagnostics > Authentication.
Only the users in ou=people work and at the same time recognizes membership of other groups, as you could see in the image above.
Then i also test with openvpn server in pfsense that also only works with the ou=people,dc=domain,dc=org users.What i would like is the OpenVPN server to use cn=vpnusers,ou=groups,dc=domain,dc=org members as OpenVPN users.
When i configure cn=vpnusers,ou=groups,dc=domain,dc=org as only option in "Authentication containers" in the LDAP auth server settings then authenticating is not working anymore.Somehow i should be able to configure pfsense ldap auth server to only use user members in cn=vpnusers,ou=groups,dc=domain,dc=org.
-
Ah I see. OK how is the LDAP server setup in pfSense?
-
I made a screenshot of it but had to zoom out to have everything in one image.
Hopefully you can read the settings.
-
Ok so that's the ou=People server. Do you have a separate server defined for ou=Users? Or are you changing that one?
-
No i have one OpenLDAP server with one DIT.
I don't have a ou=users i only have ou=groups and ou=people.In ou=groups i created cn=users and cn=vpnusers and added the ou=people users to those groups as memberUid.
For me this is all totally new so probably i do all kinds of stupid things.
I want to learn how to manage a OpenLDAP directory and i thought connecting it to pfSense would be a good little learning project.
-
-
You need to have 'Groups' selected there to authenticate users from that.
-
I tested all that several times.
If i only select ou=groups,dc=domain,dc=orgI get ...
If i select all 3 of the options then pfSense picks only the ou=people,dc=domain,dc=org and authenticating is succesful but then those cn=users and cn=vpnusers are not used.
I want only authenticate against cn=vpnusers,ou=group,dc=domain,dc=org
If i only select that option i again get ...
The only way to get a successful authentication is against the users in ou=groups,dc=domain,dc=org
I tried many different settings today i found online.
Only that second option works,
But then i cannot use different member groups only the users that are in ou=peopleI did'nt know what to try next so i thought i try netgate forums.
-
Hmm, odd. I'd expect those two ous to behave the same. I can see why it would be a problem if you have both selected and the same users in each.
Slightly confused though because you seem to say above that selecting only ou=groups,dc=domain,dc=org both fails and is the only way to successfully authenticate?
-
Sorry if i am a bit confusing in the above posts.
I try to be more clear.
English is not my main language so i do my best
As you can see on the pictures i only have 2 OUs People and Groups.
I created 2 normal and 1 admin users in ou=People.Then i created 3 groups in ou=Groups.
My plan is to use those CN groups (in ou=groups) to authorize several services to the users by adding the users to one or more of those cn groups (cn=users & cn=vpnusers & cn=admins).
As an example i added users to the cn=vpnusers so i could give them access to de pfSense OpenVPN server.
And the admin user i added to the cn=admins group to give him/them admin access to pfSense.But those groups under ou=Groups ar not selectable / configurable in pfSense or not that i know off how to do that.
Only ou=People,dc=domain,dc=org is successful authenticating in "Diagnostics / Authentication" and the OpenVPN server.
It doesn't matter of i enable or disable the other containers (cn=users / cn=vpnusers) they don't work.
I added different users to those cn groups to test them separately so i know for sure which one does or doesn't work and both don't work.Although the cn=users and cn=vpnusers is seen by pfSense as you can see in one of the images from earlier i can not do anything with them like configure OpenVPN server to use for example the cn=vpnusers to authenticate a member user of that group. Or i just don't know yet how to do that.
Just like "Diagnostics / Authentication" also OpenVPN server works successfully with users in ou=People,dc=domain,dc=org.
cn=users,ou=Groups,dc=domain,dc=org or cn=vpnusers,ou=Groups,dc=domain,dc=org does not work.Or wel maybe it does and i just don't know jet how to do it, how to configure it.
That is what i hope to learn. -
When i configure the LDAP server in pfSense with only the cn=vpnusers like in this image and i make one of the ou=People,dc=domain,dc=org users member of that group then auth test gives unsuccessful.
