Need help with Active Directory configuration

TyMac · Jan 11, 2015, 3:16 AM

I've been following this guide linked below to no avail:

https://forum.pfsense.org/index.php?topic=44689.0

I see that there are some differences in the screenshots of the gui in the tutorial vs my gui (2.1.5-RELEASE (amd64))

Can anyone tell me what I might be doing wrong based on my screenshot attached below? I always end up with authentication failed. I am using a 2012 r2 Windows server. I have not created any users that match my AD users in the pfsense box… not sure if that is my point of confusion or not.

doktornotor · Jan 11, 2015, 8:37 AM

I don't think anonymous binds are enabled by default.

keyser · Jan 11, 2015, 6:09 PM

Anonymous binding does not work with 2012 R2.
You need to create a user in AD that has rights to read attributes on other useraccounts.
In a default AD a normal user has this right, but in an upgraded AD or a security thightend AD it does not. In such a situation you can work around this by adding your LDAP user to the "account operators" security group.
Then you need setup Pfsense to use that account when binding to AD

TyMac · Jan 11, 2015, 9:08 PM

Ok so I unchecked anon-binding and used the same name for the user that was in the tutorial for the credentials. I created the same group "Router Admins" in the tutorial as well.

Clicking on the select button on "Authentication containers" I get a pop up error:
Could not connect to the LDAP server. Please check your LDAP configuration.

And trying to test authentication from Diagnostics >> Authentication with the pfsense username I get

The following input errors were detected:
Authentication failed.

nmap from pfsense shows 389 along with a bunch of other ports up and authentication is working for other hosts.

I am not sure what is meant by "You need to create a user in AD that has rights to read attributes on other useraccounts. " I have added this user to account operators and I still get the same error. This is a new 2012 r2 server and there are no security tweaks.

keyser · Jan 12, 2015, 8:47 PM

Could you please post a picture of your updated lDAP auth page.

As I understand it, you have created a user in AD, and you have added that user the "account operators" group, so that is all the prerequisites taken care of. Thus it must be your settings.

TyMac · Jan 12, 2015, 11:55 PM

By IDAP you mean my pfsense configuration right? I have attached that. The pfsense user is in AD in the Rotuer Admins, Domain Users, Account Operators. There is no pfsense user on the router but I do have an Router Admins group.

keyser · Jan 13, 2015, 6:37 PM

Hi

1: The USERS folder in AD is actually not an OU but a Container (CN), so the proper path for authentication container would be: CN=Users,DC=Gamer,DC=local

2: Can't recall if domain\ notation works. I use user@gamer.local for the username.

That should work and sorry about the late replies :-)

TyMac · Jan 14, 2015, 12:01 AM

@keyser:

Hi

1: The USERS folder in AD is actually not an OU but a Container (CN), so the proper path for authentication container would be: CN=Users,DC=Gamer,DC=local

2: Can't recall if domain\ notation works. I use user@gamer.local for the username.

That should work and sorry about the late replies :-)

Still not working - if I hit select beside Authentication containers I should be able to connect, correct? I cannot.

keyser · Jan 14, 2015, 5:37 PM

Okay, thats really weird. Are you sure the user you entered can logon to your AD (try login on a workstation or connect to a share with that login)?
Are you sure you entered the correct address for you domain controller?
Are you sure LDAP unencrypted on 389 is open on your domain controller?

marvosa · Jan 16, 2015, 11:27 AM

OP, assuming your DC is at 192.168.80.100 and your domain is "gamer.local", it looks like you're close. Just wanted to share what I see from my working config and yours. Lets get it connected first, then you can refine it if necessary:

No Peer Certificate Authority configured. (This probably doesn't matter, but it's something I see that's different)
Your Authentication containers should read…. "CN=Users,DC=gamer,DC=local"
Under Bind credentials, for "User DN:" enter the short name (e.g. DOMAIN\User)… i.e. use "gamer\administrator"
Enter the password for the "administrator" account
Click Save

All of your other options are identical to mine. At this point, you should be able to click on the "Select" button in the "Authentication containers" section and it should pull up all of your current containers and OU's.

TyMac · Jan 16, 2015, 3:06 AM

Ok using an account with domain admin privs allowed me to connect. I then clicked in select on authentication containers and choose CN=Users,DC=gamer,DC=local. After that I clicked on Diagnostics >> Authentication and tested connecting with the same admin user which worked and told me that user was part of the "Router Admins" group. I had added that user to that group while setting the initial AD config.

So thanks! Should there be any settings I should invest in configuring to help lock down AD access?

keyser · Jan 16, 2015, 6:42 AM

With the current config you are not testing if a user is a member of a the "router admins" group. You are simply testing if the user exists in the USERS container in AD.
If you want to test for group membership you need to use the extended query feature tto check the MemberOF attribute.

TyMac · Jan 17, 2015, 3:14 AM

@keyser:

With the current config you are not testing if a user is a member of a the "router admins" group. You are simply testing if the user exists in the USERS container in AD.
If you want to test for group membership you need to use the extended query feature tto check the MemberOF attribute.

I'm still pretty new to LDAP notation. Can you tell me what my extended query string should look like?

TyMac · Jan 17, 2015, 6:07 PM

Also, I still cannot actually log in with the AD admin user. Not sure what else I need to configure.

doktornotor · Jan 17, 2015, 6:19 PM

@TyMac:

Also, I still cannot actually log in with the AD admin user.

Cannot log in where? You know, this works just fine here for the WebGUI, with RouterAdmins AD group, and same pfS local group with proper permissions assigned. Worked in 2.1.x, still works with 2.2. Also working for OpenVPN + Radius/AD.

Post some logs/info, nothing to work with here!

TyMac · Jan 19, 2015, 10:09 PM

@doktornotor:

@TyMac:

Also, I still cannot actually log in with the AD admin user.

Cannot log in where? You know, this works just fine here for the WebGUI, with RouterAdmins AD group, and same pfS local group with proper permissions assigned. Worked in 2.1.x, still works with 2.2. Also working for OpenVPN + Radius/AD.

Post some logs/info, nothing to work with here!

Can't log in to the pfsense web admin page with the admin AD user I created that works with the bind credentials parameter. What log do you want me to post?