Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot set LDAP to use group for OpenVPN authentication

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 245 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Snailkhan
      last edited by Snailkhan

      Hi,
      I have setup openvpn on pfsense and currently using radius for authenticating openvpn users from ad . This is working but i need to shift from radius to LDAP.

      In AD i have an OU "Users" (this is default OU) .there is a group named "G_Open_VPN". i have added users to this group for LDAP purpose.

      i have created a domain admin account Pfldap and its credentials are entered in Bind Credentials.
      with below settings when i go to diagnostic >> authenticatoin and try any user that resides in Users OU it succeeds.
      a00f0ebb-99f4-4d75-b4ed-42d352d3a12c-image.png
      Now i have created an OU "LDAP_Pfsense" and moved the group "G_Open_VPN" there in this OU. and did below setting under user > authentication >LDAP server and its failing with below query.
      here is what i put in extended query
      memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com
      e7a634bc-18b6-4261-aeca-a2ec4b8617dd-image.png

      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: ERROR! LDAP search failed, no user matching userabc was found.
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Now searching in server AD LDAP Server , container OU=LDAP_Pfsense,DC=abctech,DC=com with filter (&(samaccountname=userabc)(memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com)).
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Now Searching for userabc in directory.
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: LDAP connection error flag: false
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Group Filter:
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Filter: (&(samaccountname=userabc)(memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com))
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Extended Query: memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Attrs: Name: samaccountname / Group: memberOf
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Container: OU=LDAP_Pfsense,DC=abctech,DC=com
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Auth Bind DN: CN=Pfldap,OU=LDAP_Pfsense,DC=abctech,DC=com
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Scope: subtree
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Base DN: DC=abctech,DC=com
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: URI: ldap://10.10.4.79:389 (v3)
      Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Attempting to authenticate userabc on AD LDAP Server
      

      please if somene can guide me how to restrict openvpn access to only this gorup members.

      Regards

      1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Without the extended query but with OU=LDAP_PFsense set does it return any users. And or list groups they are members of?

        S 1 Reply Last reply Reply Quote 0
        • S
          Snailkhan @stephenw10
          last edited by

          @stephenw10 said in Cannot set LDAP to use group for OpenVPN authentication:

          Without the extended query but with OU=LDAP_PFsense set does it return any users. And or list groups they are members of?

          Reply

          Sorry i coudn't get you. Do you mean that i give it a try by unchecking "Enable Extended Query"
          regarding "but with OU=LDAP_PFsense set" do you mean enter this in "authentication containers" which it already has and then clicking "Select container"
          if so i am able to see groups members etc after doing so.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm, so it appears that just the extended query is filtering out all users even though they should be members of the G_Open_VPN group?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.