Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP Authentication against Active Directory

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      petros
      last edited by

      Hi All
      I have seen several posts about this issue but since I have not seen anything very recent, I thought I would raise this again to see if the feature now works without issue.

      I am using 2.1.5 and I am trying to authenticate against Windows Server 2012. I have set things up as I read in the 2.1 book.

      When I go to System -> User Manager -> Settings and I click save and test, the Active Directory Structure is returned just fine so I know it is communicating with AD. However, when I go to Diagnostics -> Authentication and enter a username and password and click test, it fails and I see this error in the system logs:  diag_authentication.php: ERROR! Either LDAP search failed, or multiple users were found.

      1 Reply Last reply Reply Quote 0
      • P
        petros
        last edited by

        Just wanted to add that I decided to try Radius authentication since no one replied. Set it up again according to the 2.1 book. When I tested again in diagnostics -> Authentication, I get the same failure error. I checked the event log on the Radius Server and I saw a log entry event id 4400. A LDAP connection with domain controller name.domain.net for domain DOMAIN is established. I'm not seeing any  errors at all. Could anyone help please?

        Any of the two LDAP or Radius would help me. I don't want to have to go back to Sonicwall.
        Thanks

        1 Reply Last reply Reply Quote 0
        • B
          BeerCan
          last edited by

          fwiw I have AD LDAP working fine.  Not sure exactly what the problem is but I would think it is in the setup.  I am posting mine in case if helps you, but of course you have to change things as they pertain to your network.

          Couple of questions?  Do your group names have spaces?  What do you have as the value of "Group member attribute"?

          Make sure your backend ldap is set up correctly  You can check it under system –> user manager and click the servers tab. 
          For me getting this right was the biggest hassle

          Ldap page from my config (sanitized)  change your entries as needed.

          Hostname or IP address = your ldap server
          Port value = 389 
          Transport = TCP
          Peer Certificate Authority = not really use if transport is TCP
          Protocol version = 3
          Search scope = one level  base dn = DC=domainname,DC=com
          Authentication containers = CN=Users,DC=domainname,DC=com
          Extended Query = memberOf=CN=VPNGroupname,CN=Users,DC=domainname,DC=com (I use this because all my vpn users are in a user group in AD)
          Bind credentials = User DN:  user@domainname.com Password = password (do not use an admin account)
          User naming attribute = samAccountName
          Group naming attribute = cn
          Group member attribute = memberOf
          

          2014-09-04_090134.jpg_thumb
          2014-09-04_090134.jpg

          1 Reply Last reply Reply Quote 0
          • P
            petros
            last edited by

            Thanks so much for replying.
            I checked your config against mine and the only field that is different is the Extended Query field. I have CN=Users,DC=domainname,DC=net in the extended query field.

            In answer to your question, some of the security groups have spaces but the security group I am using for pfsense does not.

            I am going to play with my entries in the extended query field to see if I can get anything to work.

            Thanks again.

            1 Reply Last reply Reply Quote 0
            • P
              petros
              last edited by

              Well all I did was add  memberOf=CN=VPNGroupname from your post to extended query field and it started to work so I guess that was it.
              Thank you very much for your help.

              1 Reply Last reply Reply Quote 0
              • T
                TasMot
                last edited by

                One issue I ran into is that the "Hostname" must resolve. I could never get a hostname to resolve even when I added my internal DNS servers to the general setup. I had to specify the IP address of one of my AD servers to get this to work.

                1 Reply Last reply Reply Quote 0
                • H
                  HCJ
                  last edited by

                  If you want to log into pfsense admin with ad users, you need to enable active directory as an Authentication Server.

                  Go to:
                  System - User Management
                  Settings tab
                  You will see Authentication Server, in the drop down select your ldap/ad server

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.