• Hello,

    I have setup an LDAP connection for PSK+XAUTH on a mobile IPSec VPN. This is working, but only for one user, and it's because I can only seem to authenticate as that user.

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013

    Here are the server settings. I can query LDAP and choose the containers. I am using an extended query to check if the user is a member of Mobile Users. There is a space in that group, so I'm not sure if that changes anything.
    <see servers.jpg="">The strange thing is that I can authenticate using my domain account, but not any other account in the same OU and Mobile Users group. I even created a test account with the same group memberships as my domain account, and it still doesn't work. Could it have something to do with the fact that I'm logged in as myself when testing the authentication in pfSense? That wouldn't make any sense, but I'm at a loss.



  • I created another LDAP server, this one without the extended query, and it works. However, I don't want all users in SBSUsers to have access to the VPN.

    Is there another way to limit this? Also, why is it working only for my account?

  • Hi Sreece

    I have been struggeling with extended auth againts AD groups ealier on, and after quite a lot of testing I found out that some AD's have a default setting that allows authenticated users to read some attributes on every user whereas other don't.

    So if you create a user to perform the LDAP query (the username you use in the pfsense LDAP config page) it will work in some AD's - in other it won't.

    I'm thinking it works if you are using your own account since it's allowed to read your own attributes (but not other users).
    Try adding your LDAP query account to the account operators group. That should allow it to read the required attributes of all users and hence work.

    That's how I solved my problem (which was exactly like your)

  • Keyser, that is exactly what the issue was. Thank you very much for your help!

  • Happy to help  ;)