Cannot set LDAP to use group for OpenVPN authentication
-
Hi,
I have setup openvpn on pfsense and currently using radius for authenticating openvpn users from ad . This is working but i need to shift from radius to LDAP.In AD i have an OU "Users" (this is default OU) .there is a group named "G_Open_VPN". i have added users to this group for LDAP purpose.
i have created a domain admin account Pfldap and its credentials are entered in Bind Credentials.
with below settings when i go to diagnostic >> authenticatoin and try any user that resides in Users OU it succeeds.
Now i have created an OU "LDAP_Pfsense" and moved the group "G_Open_VPN" there in this OU. and did below setting under user > authentication >LDAP server and its failing with below query.
here is what i put in extended query
memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com
Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: ERROR! LDAP search failed, no user matching userabc was found. Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Now searching in server AD LDAP Server , container OU=LDAP_Pfsense,DC=abctech,DC=com with filter (&(samaccountname=userabc)(memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com)). Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Now Searching for userabc in directory. Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: LDAP connection error flag: false Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Group Filter: Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Filter: (&(samaccountname=userabc)(memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com)) Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Extended Query: memberOf=CN=G_Open_VPN,OU=LDAP_Pfsense,DC=abctech,DC=com Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Attrs: Name: samaccountname / Group: memberOf Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Container: OU=LDAP_Pfsense,DC=abctech,DC=com Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Auth Bind DN: CN=Pfldap,OU=LDAP_Pfsense,DC=abctech,DC=com Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Scope: subtree Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Base DN: DC=abctech,DC=com Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: URI: ldap://10.10.4.79:389 (v3) Dec 10 16:53:12 php-fpm 63362 /diag_authentication.php: LDAP Debug: Attempting to authenticate userabc on AD LDAP Server
please if somene can guide me how to restrict openvpn access to only this gorup members.
Regards
-
Without the extended query but with OU=LDAP_PFsense set does it return any users. And or list groups they are members of?
-
@stephenw10 said in Cannot set LDAP to use group for OpenVPN authentication:
Without the extended query but with OU=LDAP_PFsense set does it return any users. And or list groups they are members of?
Reply
Sorry i coudn't get you. Do you mean that i give it a try by unchecking "Enable Extended Query"
regarding "but with OU=LDAP_PFsense set" do you mean enter this in "authentication containers" which it already has and then clicking "Select container"
if so i am able to see groups members etc after doing so. -
Hmm, so it appears that just the extended query is filtering out all users even though they should be members of the
G_Open_VPN
group?