Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP Auth only working for one user

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sreece
      last edited by

      Hello,

      I have setup an LDAP connection for PSK+XAUTH on a mobile IPSec VPN. This is working, but only for one user, and it's because I can only seem to authenticate as that user.

      2.1-RELEASE (i386)
      built on Wed Sep 11 18:16:22 EDT 2013

      Here are the server settings. I can query LDAP and choose the containers. I am using an extended query to check if the user is a member of Mobile Users. There is a space in that group, so I'm not sure if that changes anything.
      <see servers.jpg="">The strange thing is that I can authenticate using my domain account, but not any other account in the same OU and Mobile Users group. I even created a test account with the same group memberships as my domain account, and it still doesn't work. Could it have something to do with the fact that I'm logged in as myself when testing the authentication in pfSense? That wouldn't make any sense, but I'm at a loss.

      Thanks,
      Stephen
      servers.jpg
      servers.jpg_thumb</see>

      1 Reply Last reply Reply Quote 0
      • S
        sreece
        last edited by

        I created another LDAP server, this one without the extended query, and it works. However, I don't want all users in SBSUsers to have access to the VPN.

        Is there another way to limit this? Also, why is it working only for my account?

        1 Reply Last reply Reply Quote 0
        • keyserK
          keyser Rebel Alliance
          last edited by

          Hi Sreece

          I have been struggeling with extended auth againts AD groups ealier on, and after quite a lot of testing I found out that some AD's have a default setting that allows authenticated users to read some attributes on every user whereas other don't.

          So if you create a user to perform the LDAP query (the username you use in the pfsense LDAP config page) it will work in some AD's - in other it won't.

          I'm thinking it works if you are using your own account since it's allowed to read your own attributes (but not other users).
          Try adding your LDAP query account to the account operators group. That should allow it to read the required attributes of all users and hence work.

          That's how I solved my problem (which was exactly like your)

          Love the no fuss of using the official appliances :-)

          1 Reply Last reply Reply Quote 0
          • S
            sreece
            last edited by

            Keyser, that is exactly what the issue was. Thank you very much for your help!

            1 Reply Last reply Reply Quote 0
            • keyserK
              keyser Rebel Alliance
              last edited by

              Happy to help  ;)

              Love the no fuss of using the official appliances :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.