LDAP Active Directory Authentication



  • Here's the thing…
    I fought for a good long while trying to find the combination to authenticating to Active Directory using LDAP and ultimately, I think I found the missing bit, but I couldn't find the best place to post a reply since I went through SO MANY different threads to get it figured out... and its pretty simple...

    When setting up your authentication server, there are a few critical fields - most of which just about all of us found our way into and around without problem and it all makes sense to us.  What 'doesn't' make sense though is the field for "Extended Query".  It's an odd term - particularly for those of us who are 'Windows Guys'.  Further, there is an Example printed directly under the field that is not just misleading, but downright inaccurate.

    The example reads like this:
    Example: CN=Groupname,OU=MyGroups,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com

    The reality, however, is that this example leaves out the most critical part.

    What it is looking for is not some 'longer form of the container' - it is a specific object - a group, not an OU - the members of which are qualified to authenticate to the service being offered.

    In my case, this looks something like this:
    memberOf=cn=VPNUsers,OU=Groups,OU=MyBusiness,DC=bogus,DC=local

    Notice the difference?  Its in the first segment.
    memberOf=cn=VPNUsers

    This is neither what is implied in the name, nor illustrated in the example, nor is it formatted the same as any of the other pieces of information in the path.

    What you are indicating with this piece of information is that the user is not just contained within a container, but that he/she is a member of the group identified by this query.
    The 'Group Name' - in my example "VPNUsers", is not an organizational unit or a container, but an AD Security Group.  The rest of the path shows where the security group is found, but the users do not need to reside there - they just need to be members of the group.

    In my case, the location of the users is listed in the Authentication Containers - and I am not sure that's even needed, because the group itself is outside of that path.

    Create a group, put your qualifying users into that group, and list the group in the Extended Query like this:
    memberOf=cn=Groupname,OU=LocationOfGroup,OU=LocationOfLocationOfGroup,DC=DNSDomain,DC=RootDomain

    like this
    memberOf=cn=MyGroup,OU=Groups,OU=MyBusiness,DC=flippityflop,DC=com

    Then let Calgon take you away…



  • I wish I'd found you post first - I DID eventually find the same answer, but your explanation is clearer.  Thanks very much!



  • Great find! This should be pinned and probably added as example in the pfSense UI.


Log in to reply