Microsoft AD Authentication



  • Hi All,

    Was hoping someone might be able to help me, I am hoping its me doing something stupid wrong.

    I get it setup, and using the diagnostics - authentication it seems to authenticate fine except it will not display what groups a user is in. It just comes up blank.

    The attributes appear to be set fine:

    User naming attribute - samAccountName
    Group naming attribute - cn
    Group member attribute - memberOf

    Are there any known issues with this or any documentation for it? :)



  • User naming attribute - samAccountName
    Group naming attribute - memberOf
    Group member attribute - memberOf

    and then create the group you want them to be a member of locally and assign it the page rights.

    Also please make sure the account you are using to bind to LDAP is a non-privileged one and not the admin account, as that is a security risk.



  • The default template sets 'Group naming attribute' as 'cn' not 'memberOf'? Is that a bug? Also in you look through MS AD with a LDAP browser the groups are named with 'cn='…

    Does it work so you create a local group with the corresponding name as an AD group, then when I do the authentication test and the groups are the same it will list the user as being in that group? Is it then possible to set OpenVPN to only allow users of certain groups to connect? All I can see is that users authenticate against the domain, nothing any more specific..

    And dont worry - the bind user is a non privileged user :)

    Edit: Got it. Answered my own question about the groups! You create the group on pfSense corresponding to the AD group and it maps the user in case anyone has the same question :) The only bit is the available privileges for the groups dont include OpenVPN - only L2TP, PPPoE  and PPTP?



  • Yes sorry my answer was not very clear on the create group bit. You create a local group on the box with the same name as the AD group that the people logging into the box are members of and assign the group rights.

    Never tried using this method with OpenVPN. I just link it in to radius authentication on the DCs as I already had that setup for the captive portals we run for public WiFi access.

    Anyhow glad you got it sorted.



  • I have been looking everywhere for this documentation, thank you very much!

    I really wish the documentation regarding this aspect of pfSense wasn't so sparse as all I could find were bits of info alluding to the fact that it was POSSIBLE to use the AD group memberships to authorize WebGUI functions, but not how to accomplish it.

    Thanks again,

    Chris


Log in to reply