Netgate Store

Author Topic: LDAP Auth and FreeIPA 4.4.1  (Read 1080 times)

0 Members and 1 Guest are viewing this topic.

Offline chock-a-block

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
LDAP Auth and FreeIPA 4.4.1
« on: July 14, 2017, 10:49:17 am »
I posted this less complete in another sub-forum and thought it might be helpful here.

Just FYI, there is only one way to use FreeIPA on Pfsense 2.3.4.  Maybe you can do it more simply, but this is what worked for me. Warning, if you aren't familiar with kerberos and LDAP, this will not be easy.  I make plenty of assumptions and probably skip some things that might not be clear to others.

Before you configure the LDAP setup:
I set up a group using the freeipa web interface called fw_admins and added my account to that group.
Set up a local group with the *exact* same name in pfsense.

For ease of visualization, you can dump the LDAP schema: ldapsearch -h my-freeipa-server:389 -x -b 'dc=my-domain,dc=com'  -s sub "(objectclass=*)" > ldap-dump.txt

You need to connect to FreeIPA's LDAP server over ssl using freeipa signed cert. That means setting up FreeIPA as a certificate authority on your pfsense firewall.  It also means generating a private key for the firewall and a certificate signing request.  You then submit the CSR to FreeIPA.

openssl req -out myFW-csr.csr -new -newkey rsa:2048 -nodes -keyout myFW-private.pem
kinit admin  ##remember, this is kerberos
ipa cert-request ./myFW-csr.csr --add

ipa cert-request will prompt you for a principal.  For example host/

You can then use the FreeIPA web gui to copy/paste relevant information out of FreeIPA for the newly added host, myFW.  That includes adding the freeIPA self-signed cert to your firewall.

Add a new authentication server.
You are going to connect to freeIPA over ssl, so use the fully qualified hostname of the freeipa server in the "Hostname or IP address" box.

Search scope: Entire subtree
The base DN field needs to look something like this: dc=my-domain,dc=com
Authentication containers: cn=accounts

Check "enable extended query"

Query: memberOf=cn=fw_admins,cn=groups,cn=accounts,dc=mydomain,dc=com

DISABLE Anonymous Bind.  You must disable anonymous bind this to get extended search to work.

Fill in bind credentials.  cn="Directory Manager" is sure to work in the first box. The second box is password. After you get things working, you should not be using Directory Manager to search.

User naming attribute:uid
Group naming attribute:cn
Group member attribute: memberUid
Group Object Class: posixGroup

Enable RFC 2307 Groups

Test the LDAP lookup under Diagnostics>Authentication.  If it works, it will return a list of groups with which you belong.  It's very important the diagnostic page return a list of groups.  In this case, it returns at least fw_admins.

EDITED on 7/26 with working setup.  Prior post had a setup that only worked a little.
« Last Edit: July 26, 2017, 05:46:58 pm by chock-a-block »