Cannot set LDAP to use group for OpenVPN authentication

Snailkhan

Hi,
I have setup openvpn on pfsense and currently using radius for authenticating openvpn users from ad . This is working but i need to shift from radius to LDAP.

In AD i have an OU "Users" (this is default OU) .there is a group named "G_Open_VPN". i have added users to this group for LDAP purpose.

i have created a domain admin account Pfldap and its credentials are entered in Bind Credentials.
with below settings when i go to diagnostic >> authenticatoin and try any user that resides in Users OU it succeeds.

Now i have created an OU "LDAP_Pfsense" and moved the group "G_Open_VPN" there in this OU. and did below setting under user > authentication >LDAP server and its failing with below query.
here is what i put in extended query
memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com

Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: ERROR! LDAP search failed, no user matching userabc was found.
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Now searching in server AD LDAP Server , container OU=LDAP_Pfsense,DC=abctech,DC=com with filter (&(samaccountname=userabc)(memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com)).
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Now Searching for userabc in directory.
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: LDAP connection error flag: false
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Group Filter:
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Filter: (&(samaccountname=userabc)(memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com))
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Extended Query: memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Attrs: Name: samaccountname / Group: memberOf
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Container: OU=LDAP_Pfsense,DC=abctech,DC=com
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Auth Bind DN: CN=Pfldap,OU=LDAP_Pfsense,DC=abctech,DC=com
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Scope: subtree
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Base DN: DC=abctech,DC=com
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: URI: ldap://10.10.4.79:389 (v3)
Dec 10 16:53:12	php-fpm	63362	/diag_authentication.php: LDAP Debug: Attempting to authenticate userabc on AD LDAP Server

please if somene can guide me how to restrict openvpn access to only this gorup members.

Regards

stephenw10

Without the extended query but with OU=LDAP_PFsense set does it return any users. And or list groups they are members of?

Snailkhan

@stephenw10 said in Cannot set LDAP to use group for OpenVPN authentication:

Without the extended query but with OU=LDAP_PFsense set does it return any users. And or list groups they are members of?

Reply

Sorry i coudn't get you. Do you mean that i give it a try by unchecking "Enable Extended Query"
regarding "but with OU=LDAP_PFsense set" do you mean enter this in "authentication containers" which it already has and then clicking "Select container"
if so i am able to see groups members etc after doing so.

stephenw10

Hmm, so it appears that just the extended query is filtering out all users even though they should be members of the G_Open_VPN group?