Tutorial PFFense 2.0: Active Directory -> User Manager

Zeon

Hey guys,
I couldn't find any good screenshot based tutorials on this so thought i'd write one up. This is to enable Authentication of pfsense using Active Directory and LDAP. This was using Windows Server 2008 r2 which I could connect to over an IPSec tunnel. however its probably easier and more reliable to have your Domain Cotnroller connected to one of the local interfaces on PFsense.

Go to system->user manager->servers. Click the add icon
Enter a name e.g. your active directory domain name and set the type to LDAP. Enter the IP address of your domain controller
Hostname or IP address: Enter the IP address of your domain controller here. I'd recommend the IP in case your DNS is broken which often happens to me. Remember if you are using the DNS name of your domain controller e.g. domaincontroller.pbs.local you need to use your domain controller as the DNS in your general settings of PFsense as it won't resolve otherwise. I'm a big fan of having all my servers on a public IPs and am going to convert my domain to a proper FQDN to help stamp out these DNS problems
The Base DN usually follow the format of DC=[part of domain name between a dot],DC=[next part of a domain name before dot or if last part] etc. So my domain name was pbs.local so our base DN is "DC=pbs,DC=local". If my domain name was cooldomainname.com then it would be "DC=cooldomainname,DC=com" (no quotation marks)
Authentication Containers are the actual unit within your active directory that your users reside in. I have an OU called "PBS Users" but by default active directory has a CN called "Users". So for most people you would write "CN=Users,DC=firstdomainpart,DC=local.
My domain controller didn't allow anonymous LDAP searches so I had to create a username and password on my active directory to authorize pfsense. Interesting it wouldn't work unless I put in the "PBS" in front even though the accounts themselves don't need that so could be wroth checking for troubleshooting.
Use the Microsoft AD as the initial template or just copy my values
Now we need to create a group and add an AD user to that group who will have access to PFsense. Interestingly enough I couldn't use the Domain Admins group as Microsoft have some feature in LDAP which stops this from being returned - weird or good security? You decide but its bloody annoying! Anyway, you need to create a group with the SAME NAME in PFsense and give the relevant permissions
Go back to system->user manager-> settings and choose the new LDAP authentication server
Save everything and go to diagnostics->authentication menu item. Yay it works!

mhab12

Thanks for doing this. I'll probably be working through this very setup with your how-to this weekend, I'll let you know how it goes.

jaredadams

Perhaps someone can help. I am able to authenticate to my AD server. However, it says the user is not apart of any group.

I have a group in pfsense named RouterAdmins
I have a group in AD which is in the OU i specified
The user I'm authenticating with belongs to the aforementioned group

Puzzled.

marcelloc

Congratulations, nice job :)

spiv

Hi guys
I have follow exactly what have been shown on the screen however I still stuck nothing seem to work. ldap failed to authenticated.
Any diagnostic I need to perform in order to identify what is lacking?

jaredadams

spiv….

Instead of manually typing in the Authentication Contain I used the "select" button

If when you press that you get errors you are entering credentials incorrectly or the user you're using does not have the correct rights.

Unlike the OP, I did not require domain\user. Only \user.

nearones

@Zeon:

Hey guys,
I couldn't find any good screenshot based tutorials on this so thought i'd write one up. This is to enable Authentication of pfsense using Active Directory and LDAP. This was using Windows Server 2008 r2 which I could connect to over an IPSec tunnel. however its probably easier and more reliable to have your Domain Cotnroller connected to one of the local interfaces on PFsense.

Go to system->user manager->servers. Click the add icon

Enter a name e.g. your active directory domain name and set the type to LDAP. Enter the IP address of your domain controller

Hostname or IP address: Enter the IP address of your domain controller here. I'd recommend the IP in case your DNS is broken which often happens to me. Remember if you are using the DNS name of your domain controller e.g. domaincontroller.pbs.local you need to use your domain controller as the DNS in your general settings of PFsense as it won't resolve otherwise. I'm a big fan of having all my servers on a public IPs and am going to convert my domain to a proper FQDN to help stamp out these DNS problems

The Base DN usually follow the format of DC=[part of domain name between a dot],DC=[next part of a domain name before dot or if last part] etc. So my domain name was pbs.local so our base DN is "DC=pbs,DC=local". If my domain name was cooldomainname.com then it would be "DC=cooldomainname,DC=com" (no quotation marks)

Authentication Containers are the actual unit within your active directory that your users reside in. I have an OU called "PBS Users" but by default active directory has a CN called "Users". So for most people you would write "CN=Users,DC=firstdomainpart,DC=local.

My domain controller didn't allow anonymous LDAP searches so I had to create a username and password on my active directory to authorize pfsense. Interesting it wouldn't work unless I put in the "PBS" in front even though the accounts themselves don't need that so could be wroth checking for troubleshooting.

Use the Microsoft AD as the initial template or just copy my values

Now we need to create a group and add an AD user to that group who will have access to PFsense. Interestingly enough I couldn't use the Domain Admins group as Microsoft have some feature in LDAP which stops this from being returned - weird or good security? You decide but its bloody annoying! Anyway, you need to create a group with the SAME NAME in PFsense and give the relevant permissions

Go back to system->user manager-> settings and choose the new LDAP authentication server

Save everything and go to diagnostics->authentication menu item. Yay it works!

Thank you for your Screen Shot, which made really to configure PFsense to sync with Active Directory.
I also wanted to sync SquidGuard with my Active Directory, but I am not able to do that. When I configure the settings, it prompts for users name and password while browsing and does not accept any of the username and password. Here I am attaching my screen shot. We are using Primary DC and Child DC at our Orgenization.

Here abc is my Child DC and efggroup.com is my Primary DC

CN=administrator,CN=Users CN,dc=abc,dc=efggroup,dc=com

CN=cdc5,DC=abc,DC=efggroup,DC=com

Request u to help for the same

3.jpg_thumb

alexdr

@marcelloc:

Congratulations, nice job :)

Hello, I do it but in the test show me follow error

"Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /etc/inc/auth.inc on line 1021
pfsense.XXXXXX.com.br"

gpolanskigmail.com

Thanks for the posting. It was invaluable to setting up the authentication. Thanks, too, for the Active Directory Pictures.

PFSENSE. I found that I could spell the authentication in two ways. Both spellings are in the popup where I created the pfsense user.
CNT\pfsense OR
pfsense@cnt.local.

SYSTEM LOGS and Error Message. When I had the wrong bind credentials, I saw the following at the top of my firefox display and IE display
Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /etc/inc/auth.inc on line 1049
Also, the system logs showed a corresponding error
php: /diag_authentication.php: ERROR! Could not connect to server Active_Directory_LDAP.
Thanks

necron

First of all, thanks for the clear tutorial!

Question though, how do you guys handle admin accounts when authenticating with AD?
For instance: I have the default admin and another two admin accounts created.
I then made the AD link which works fine, but when I log on with one of the two custom admin accounts the 'no page assigned' error appears.
Default account keeps working though, but that one has a huge random password :)

GroundX

@necron:

First of all, thanks for the clear tutorial!

Question though, how do you guys handle admin accounts when authenticating with AD?
For instance: I have the default admin and another two admin accounts created.
I then made the AD link which works fine, but when I log on with one of the two custom admin accounts the 'no page assigned' error appears.
Default account keeps working though, but that one has a huge random password :)

Add a group. Click the group and add privileges :)