LDAP parameters for OpenVPN on pfSense 2.0



  • Hey all, trying to setup LDAP authentication for OpenVPN against my SME Server LDAP, but I'm getting stuck on some of the parameters, can anyone assist?

    Hostname or IP address = x.x.x.x (my SME server IP goes here)
    Port value = 389
    Transport = TCP-Standard
    Protocol version = 3
    Level: One level

    Base DN = ??  (forums suggest dc=company;dc=com)
    Authentication containers = ?? (again, forums suggest ou=Users;dc=company;dc=com)

    Bind credentials = Use anonymous ticked
    Initial template = OpenLDAP

    User naming attribute = ?? (default is cn)
    Group naming attribute = ?? (default again is cn)
    Group member attribute = ?? (default is member)

    Putting in dc=company;dc=com and hitting select gives me this –> http://imageshack.us/photo/my-images/200/pfsenseldap.jpg/
    but Diagnostics:Authentication fails.

    I've got a contrib installed that lets me see my LDAP schema which results in this pic --> http://imageshack.us/photo/my-images/121/phpldapinfo.jpg/

    Any advice/help appreciated!

    Craig.



  • Can any members that have this working assist on this?

    Thank you in advance.



  • I'm also interested. This is my next project.



  • Hi,

    I have OpenVPN authenticating against my OpenLDAP server.  It's not happening as I would like it to, but this may get you started:

    From your jpegs the distinguishedName of your users is in the format: uid=name,ou=Users,dc=hn,dc=local

    So…your BaseDN should be: ou=Users,dc=hn,dc=local
    Level: One Level
    Set your Authentication Container to the same: ou=Users,dc=hn,dc=local
    User naming attribute should be: uid (as that is what you use!)
    Group naming attribute and Group member attribute make little difference at this point.

    This will allow ANYONE in your ou=Users tree to log in.  Which may, or more likley, may not, be what you want.  And this is the problem I'm having.

    I have a user with the DN of: uid=fred,ou=people,dc=example,dc=com
    Setting the VPN up as above the he can connect sucessfully and the logs say:
    openvpn: : Now Searching for fred in directory.
    openvpn: : Now Searching in server MyLDAP, container ou=people,dc=example,dc=com with filter (uid=fred).
    Logged in successfully as fred via LDAP server MyLDAP with DN = uid=fred,ou=people,dc=example,dc=com.
    openvpn: user fred authenticated

    I'm guessing that, like me, you want only users in your cn=pmb_vpn group to have access.  From your images I can't see if your vpn group is static or dynamic.  That said, I can't get either to work.  I think that dynamic groups are a no-no on account of how they are searched, but I have a static group and it still doesn't work.  The static group (cn=vpn,ou=groups,dc=example,dc=com) has the following members who may use the VPN:
    member: uid=fred,ou=people,dc=example,dc=com
    member: uid=joe,ou=people,dc=example,dc=com
    etc..

    I set my Authentication Container to: cn=vpn,ou=groups,dc=example,dc=com
    User naming attribute remains: uid
    Group naming attribute: cn
    Group member attribute: member

    And I try the VPN with the user fred...but I get the following log:

    openvpn: : Now Searching for fred in directory.
    openvpn: : Now Searching in server MyLDAP, container cn=vpn,ou=groups,dc=example,dc=com with filter (uid=fred).
    openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
    openvpn: user fred could not authenticate.

    And the VPN doesn't authenticate :(

    Ideally I need it to filter the ou=people branch with: "(&(uid=fred)(vpnUser=true))" as I have a bespoke attribute vpnUser which is either true of false for each user (that is how the dynamic vpn group was created).



  • Any news about pfSense2 authenticate against SME8 LDAP ?

    I'd like to have it running SquidProxy/DansGuard authenticated!



  • @jader:

    Any news about pfSense2 authenticate against SME8 LDAP ?

    I'd like to have it running SquidProxy/DansGuard authenticated!

    Hi,

    I am interested in too… (pfSense v2.0.1)

    But can't get it working so far...
    But keep trying...

    Regards,


Locked