OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • Active Directory Problem
« previous next »
  • Print
Pages: [1]

Author Topic: Active Directory Problem  (Read 7402 times)

Pimmal

  • Newbie
  • *
  • Posts: 24
  • Karma: 2
    • View Profile
Active Directory Problem
« on: September 02, 2016, 03:47:55 pm »
Active Directory Authentication is working but is not receiving any groups.

Whats wrong here?

Quote
User: Pimmal authenticated successfully.
This user is a member of these groups:
Logged

ccesario

  • Jr. Member
  • **
  • Posts: 83
  • Karma: 1
    • View Profile
Re: Active Directory Problem
« Reply #1 on: September 02, 2016, 04:44:01 pm »
Hi Primmal, if possible comment this issue opened with your details.

https://github.com/opnsense/core/issues/1169

I 'm getting the same problem


Best regards

-Carlos
Logged

Triskkele

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Active Directory Problem
« Reply #2 on: September 04, 2016, 11:59:39 pm »
I have the same problem too with LDAP and RADIUS authentication (Active Directory)

I have added the AD group in OPNSense with all permissions and specified a Class containing the group name in remote access policy of the RADIUS server.

The test is successful but with no group membership

On the login page:
With LDAP authentication, there is no access
With RADIUS authentication, the login is successful but since the AD group is not recognized (but well configured), there is no access to any pages.
Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 855
  • Karma: 166
    • View Profile
Re: Active Directory Problem
« Reply #3 on: September 05, 2016, 09:35:33 am »
Group membership is managed per user in OPNsense (as mentioned in the issue on GitHub).

We will supply some additional documentation later about this subject, but if the user doesn't exist in the firewall it can't have access rights. It's a design choice we made earlier, to avoid cluttering the ACL system with all sorts of calls to the outside world.
This behaviour won't change, we may at some point add some scripts to help automate the LDAP import process on regular basis.

The steps are simple.
- for Radius add users manually (radius doesn't support a "list users" call to help importing the users)
- for LDAP, import users from the server when primary UI authentication is set to LDAP, which imports the User distinguished name with it.


Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • Active Directory Problem
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2