Netgate m1n1wall

Author Topic: LDAP parameters for OpenVPN on pfSense 2.0  (Read 5024 times)

0 Members and 1 Guest are viewing this topic.

Offline CraigZA

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
LDAP parameters for OpenVPN on pfSense 2.0
« on: July 12, 2011, 03:33:40 pm »
Hey all, trying to setup LDAP authentication for OpenVPN against my SME Server LDAP, but I'm getting stuck on some of the parameters, can anyone assist?

Hostname or IP address = x.x.x.x (my SME server IP goes here)
Port value = 389
Transport = TCP-Standard
Protocol version = 3
Level: One level

Base DN = ??  (forums suggest dc=company;dc=com)
Authentication containers = ?? (again, forums suggest ou=Users;dc=company;dc=com)

Bind credentials = Use anonymous ticked
Initial template = OpenLDAP

User naming attribute = ?? (default is cn)
Group naming attribute = ?? (default again is cn)
Group member attribute = ?? (default is member)

Putting in dc=company;dc=com and hitting select gives me this --> http://imageshack.us/photo/my-images/200/pfsenseldap.jpg/
but Diagnostics:Authentication fails.

I've got a contrib installed that lets me see my LDAP schema which results in this pic --> http://imageshack.us/photo/my-images/121/phpldapinfo.jpg/

Any advice/help appreciated!

Craig.




Offline probie

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +0/-0
    • View Profile
Re: LDAP parameters for OpenVPN on pfSense 2.0
« Reply #1 on: July 30, 2011, 12:52:58 am »
Can any members that have this working assist on this?

Thank you in advance.

Offline jaredadams

  • Full Member
  • ***
  • Posts: 138
  • Karma: +0/-0
    • View Profile
Re: LDAP parameters for OpenVPN on pfSense 2.0
« Reply #2 on: August 01, 2011, 01:22:10 pm »
I'm also interested. This is my next project.

Offline alcina

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: LDAP parameters for OpenVPN on pfSense 2.0
« Reply #3 on: November 11, 2011, 10:41:26 am »
Hi,

I have OpenVPN authenticating against my OpenLDAP server.  It's not happening as I would like it to, but this may get you started:

From your jpegs the distinguishedName of your users is in the format: uid=name,ou=Users,dc=hn,dc=local

So...your BaseDN should be: ou=Users,dc=hn,dc=local
Level: One Level
Set your Authentication Container to the same: ou=Users,dc=hn,dc=local
User naming attribute should be: uid (as that is what you use!)
Group naming attribute and Group member attribute make little difference at this point.

This will allow ANYONE in your ou=Users tree to log in.  Which may, or more likley, may not, be what you want.  And this is the problem I'm having.

I have a user with the DN of: uid=fred,ou=people,dc=example,dc=com
Setting the VPN up as above the he can connect sucessfully and the logs say:
openvpn: : Now Searching for fred in directory.
openvpn: : Now Searching in server MyLDAP, container ou=people,dc=example,dc=com with filter (uid=fred).
Logged in successfully as fred via LDAP server MyLDAP with DN = uid=fred,ou=people,dc=example,dc=com.
openvpn: user fred authenticated

I'm guessing that, like me, you want only users in your cn=pmb_vpn group to have access.  From your images I can't see if your vpn group is static or dynamic.  That said, I can't get either to work.  I think that dynamic groups are a no-no on account of how they are searched, but I have a static group and it still doesn't work.  The static group (cn=vpn,ou=groups,dc=example,dc=com) has the following members who may use the VPN:
member: uid=fred,ou=people,dc=example,dc=com
member: uid=joe,ou=people,dc=example,dc=com
etc..

I set my Authentication Container to: cn=vpn,ou=groups,dc=example,dc=com
User naming attribute remains: uid
Group naming attribute: cn
Group member attribute: member

And I try the VPN with the user fred...but I get the following log:

openvpn: : Now Searching for fred in directory.
openvpn: : Now Searching in server MyLDAP, container cn=vpn,ou=groups,dc=example,dc=com with filter (uid=fred).
openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
openvpn: user fred could not authenticate.

And the VPN doesn't authenticate :(

Ideally I need it to filter the ou=people branch with: "(&(uid=fred)(vpnUser=true))" as I have a bespoke attribute vpnUser which is either true of false for each user (that is how the dynamic vpn group was created).
« Last Edit: November 11, 2011, 11:15:43 am by alcina »

Offline jader

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: LDAP parameters for OpenVPN on pfSense 2.0
« Reply #4 on: July 01, 2012, 06:34:15 pm »
Any news about pfSense2 authenticate against SME8 LDAP ?

I'd like to have it running SquidProxy/DansGuard authenticated!


Offline denis31

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: LDAP parameters for OpenVPN on pfSense 2.0
« Reply #5 on: November 30, 2012, 09:27:44 am »
Any news about pfSense2 authenticate against SME8 LDAP ?

I'd like to have it running SquidProxy/DansGuard authenticated!



Hi,

I am interested in too... (pfSense v2.0.1)

But can't get it working so far...
But keep trying...

Regards,
« Last Edit: November 30, 2012, 09:29:22 am by denis31 »