LDAP Authentication against Active Directory

petros · Sep 10, 2014, 9:14 PM

Hi All
I have seen several posts about this issue but since I have not seen anything very recent, I thought I would raise this again to see if the feature now works without issue.

I am using 2.1.5 and I am trying to authenticate against Windows Server 2012. I have set things up as I read in the 2.1 book.

When I go to System -> User Manager -> Settings and I click save and test, the Active Directory Structure is returned just fine so I know it is communicating with AD. However, when I go to Diagnostics -> Authentication and enter a username and password and click test, it fails and I see this error in the system logs: diag_authentication.php: ERROR! Either LDAP search failed, or multiple users were found.

petros · Sep 12, 2014, 7:47 PM

Just wanted to add that I decided to try Radius authentication since no one replied. Set it up again according to the 2.1 book. When I tested again in diagnostics -> Authentication, I get the same failure error. I checked the event log on the Radius Server and I saw a log entry event id 4400. A LDAP connection with domain controller name.domain.net for domain DOMAIN is established. I'm not seeing any errors at all. Could anyone help please?

Any of the two LDAP or Radius would help me. I don't want to have to go back to Sonicwall.
Thanks

BeerCan · Sep 13, 2014, 1:26 PM

fwiw I have AD LDAP working fine. Not sure exactly what the problem is but I would think it is in the setup. I am posting mine in case if helps you, but of course you have to change things as they pertain to your network.

Couple of questions? Do your group names have spaces? What do you have as the value of "Group member attribute"?

Make sure your backend ldap is set up correctly You can check it under system –> user manager and click the servers tab.
For me getting this right was the biggest hassle

Ldap page from my config (sanitized) change your entries as needed.

Hostname or IP address = your ldap server
Port value = 389 
Transport = TCP
Peer Certificate Authority = not really use if transport is TCP
Protocol version = 3
Search scope = one level  base dn = DC=domainname,DC=com
Authentication containers = CN=Users,DC=domainname,DC=com
Extended Query = memberOf=CN=VPNGroupname,CN=Users,DC=domainname,DC=com (I use this because all my vpn users are in a user group in AD)
Bind credentials = User DN:  user@domainname.com Password = password (do not use an admin account)
User naming attribute = samAccountName
Group naming attribute = cn
Group member attribute = memberOf

petros · Sep 15, 2014, 4:18 PM

Thanks so much for replying.
I checked your config against mine and the only field that is different is the Extended Query field. I have CN=Users,DC=domainname,DC=net in the extended query field.

In answer to your question, some of the security groups have spaces but the security group I am using for pfsense does not.

I am going to play with my entries in the extended query field to see if I can get anything to work.

Thanks again.

petros · Sep 15, 2014, 5:52 PM

Well all I did was add memberOf=CN=VPNGroupname from your post to extended query field and it started to work so I guess that was it.
Thank you very much for your help.

TasMot · Jan 6, 2015, 7:17 PM

One issue I ran into is that the "Hostname" must resolve. I could never get a hostname to resolve even when I added my internal DNS servers to the general setup. I had to specify the IP address of one of my AD servers to get this to work.

HCJ · Jan 8, 2015, 4:01 PM

If you want to log into pfsense admin with ad users, you need to enable active directory as an Authentication Server.

Go to:
System - User Management
Settings tab
You will see Authentication Server, in the drop down select your ldap/ad server