Openvpn, openldap and certificates



  • I have PFsense 2.x (love it!) and it's working with OpenLDAP - I'm wondering how I'd setup the users with certificates.  I can setup local users with certificates but can't use ldap to authenticate.  I can use ldap to manage my users but I can't setup certificates.  If this is answered somewhere else, please let me know - I looked around for about 2 days…

    Thanks,
    Mitch


  • Rebel Alliance Developer Netgate

    Just use the certificate manager, make certificates with CN's that match the username, they should show up to export.



  • That would be great - just to confirm a few things - I create the certificates on the PFsense box that match the username from LDAP.  Then LDAP users would use their LDAP password and the PFsense certificate.  If the user doesn't have an LDAP account they can't get in OR if they don't have a certificate (but they have a valid LDAP account) they couldn't get in, right?  I want to make sure we can control users who are in LDAP but shouldn't have VPN access…


  • Rebel Alliance Developer Netgate

    Correct, and if you check the box for strict user/CN matching then they can't get in unless the CN of their certificate matches their auth username.


Log in to reply