Newbie, 2.0 RC2 7/6/2011 Build - LDAP/Active Directory Setup



  • Hi,

    I'm in the process of moving our firewall from SmoothWall to PFsense, have been playing abotu with PF and love it, however, I'm tearing my hair our in setting up the openvpn / active directory authentication.

    Machine
    HP DL360 G3, 2gb Ram, 4 NIC ports

    Network config :-

    LAN
    PFSense 192.168.16.190/24 static
    SBS2008R2 Server 192.168.16.3
    All clients assigned IP addresses by the SBS DHCP server
    SBS Domain DMS.local

    WAN
    Both wan ports disabled for now

    DNS Server
    DNS Server set to 192.168.16.3 (the SBS server - this is the way SW is configured, and that works)

    Pfsense Name
    Hostname: Firewall
    Domain:DMS.local

    I can Ping the SBS box perfectly, so that appears fine, and if I enable the WAN ports, I can connect to the internet and update the PFsense build etc.

    Everything else is completely as per a clean install - I thought one of the packages I had installed might be messing things up, so did another clean install.

    The problem I have is in the configuration of the AD authentication.. under user manager > servers

    It seems that no matter what settings I enter, I get the message :-

    "Could not connect to the LDAP server. Please check your LDAP configuration."

    I'll attach a screenshot of the config in case the error is there.

    I've installed jXplorer on my desktop machine to try the AD authentication,and that seems to work fine.

    Could anyone give me a helping hand please?

    Many thanks in advance.

    Harv




  • Thought I would update this in case anyone else is going through the same pain!

    As a test, I went to system > user manager > settings

    Then selected my AD server, and clicked save and test. The first 2 tests passed, but it failed on the 3rd. This would appear to indicate an authentication problem, so after a couple more hours messing about with the settings for LDAP I came up with a set that works!

    I'll post here.. hopefully it will be of use to someone.

    Note that LDAP Auth is the first name and last name of a user created to allow ad authentication without rights anywhere else.

    Image attached.

    ![LDAP AD 2.png](/public/imported_attachments/1/LDAP AD 2.png)
    ![LDAP AD 2.png_thumb](/public/imported_attachments/1/LDAP AD 2.png_thumb)



  • I seem to be going through a similar problem – I get the same "Could not connect to the LDAP server. Please check your LDAP configuration." message -- see my post at http://forum.pfsense.org/index.php/topic,38257.0.html
    When I run the test, it does connect and bring up some OUs and objects for me, as described in the link, but I'm stuck at either allowing all users in the domain to log in (by manually adding CN=Users to the Authentication containers) or none, as any other group I enter doesn't seem to work.

    I note that you're trying to authenticate against an SBS – while I'm using a Windows 2003 standard server, the domain itself was created on an SBS 2000 server many moons ago but has since been migrated to non-SBS DCs.

    I wonder if the issue is the AD/OU structure created by SBS being slightly different than a non-SBS-created AD, which the LDAP connector in pfSense in its current form doesn't know how to traverse properly.

    UPDATE: See my post linked above for a workaround for filtering by group.


Locked