Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Microsoft AD Authentication

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    5
    5.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      belim
      last edited by

      Hi All,

      Was hoping someone might be able to help me, I am hoping its me doing something stupid wrong.

      I get it setup, and using the diagnostics - authentication it seems to authenticate fine except it will not display what groups a user is in. It just comes up blank.

      The attributes appear to be set fine:

      User naming attribute - samAccountName
      Group naming attribute - cn
      Group member attribute - memberOf

      Are there any known issues with this or any documentation for it? :)

      1 Reply Last reply Reply Quote 0
      • G
        Gloom
        last edited by

        User naming attribute - samAccountName
        Group naming attribute - memberOf
        Group member attribute - memberOf

        and then create the group you want them to be a member of locally and assign it the page rights.

        Also please make sure the account you are using to bind to LDAP is a non-privileged one and not the admin account, as that is a security risk.

        Never underestimate the power of human stupidity

        1 Reply Last reply Reply Quote 0
        • B
          belim
          last edited by

          The default template sets 'Group naming attribute' as 'cn' not 'memberOf'? Is that a bug? Also in you look through MS AD with a LDAP browser the groups are named with 'cn='…

          Does it work so you create a local group with the corresponding name as an AD group, then when I do the authentication test and the groups are the same it will list the user as being in that group? Is it then possible to set OpenVPN to only allow users of certain groups to connect? All I can see is that users authenticate against the domain, nothing any more specific..

          And dont worry - the bind user is a non privileged user :)

          Edit: Got it. Answered my own question about the groups! You create the group on pfSense corresponding to the AD group and it maps the user in case anyone has the same question :) The only bit is the available privileges for the groups dont include OpenVPN - only L2TP, PPPoE  and PPTP?

          1 Reply Last reply Reply Quote 0
          • G
            Gloom
            last edited by

            Yes sorry my answer was not very clear on the create group bit. You create a local group on the box with the same name as the AD group that the people logging into the box are members of and assign the group rights.

            Never tried using this method with OpenVPN. I just link it in to radius authentication on the DCs as I already had that setup for the captive portals we run for public WiFi access.

            Anyhow glad you got it sorted.

            Never underestimate the power of human stupidity

            1 Reply Last reply Reply Quote 0
            • D
              drcookie
              last edited by

              I have been looking everywhere for this documentation, thank you very much!

              I really wish the documentation regarding this aspect of pfSense wasn't so sparse as all I could find were bits of info alluding to the fact that it was POSSIBLE to use the AD group memberships to authorize WebGUI functions, but not how to accomplish it.

              Thanks again,

              Chris

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.