Author Topic: LDAP groups (Read 7724 times)

iam · « **on:** July 26, 2018, 09:06:48 am »

Hi,

I want to use my LDAP groups on OPNsense to give rights on it. This was possible with pfSense. So it would be very nice if this feature could be reimplemented.

Cheers,
iam

Some links:
https://forum.opnsense.org/index.php?topic=4729.0
https://github.com/opnsense/core/issues/360

mimugmail · « **Reply #1 on:** July 27, 2018, 03:48:39 pm »

Do you want it for VPN or device authentication?

weust · « **Reply #2 on:** July 27, 2018, 06:12:56 pm »

Don't limit to just specific services, make it available to whatever service can do LDAP/AD authentication.
And of course users of the OPNsense box it self.

innate.ideas · « **Reply #3 on:** July 28, 2018, 08:09:48 am »

If this is being considered, please make it simple to not install the related LDAP/AD software. I personally would prefer OPNsense not become an easy target for lateral movement by bad guys. AD access to administrative access on OPNsense would open the network firewall and IPS to compromise once the bad guys have popped AD internally.

Jose · « **Reply #4 on:** July 29, 2018, 05:51:13 am »

I agree with post #3, perhaps as an outboard plugin as usual, so is up to the user to add risky and/or unrelated to firewall functionality, plus avoid bloatware.

iam · « **Reply #5 on:** July 30, 2018, 08:05:19 pm »

I also agree with post #3. And I don't think that the usage of LDAP groups makes the firewall insecure.

fabian · « **Reply #6 on:** July 30, 2018, 08:42:16 pm »

It isn't LDAP which is insecure. The problem are protocols allowing a pass the hash or relaying attacks such as https://en.wikipedia.org/wiki/SMBRelay

R · « **Reply #7 on:** August 07, 2018, 11:06:43 am »

Hi
When I was working with OPNsense, I had This Problems:
1. In some cases, the web service is out of service
2. In some cases, during the work, Suricata is out of service
3. Lack of functionality of group's selection button all of rules
4. When SSH is actived on the two interfaces, none of them are actived
5. Despite the rolls have been actived, Suricata calls only its default rolls.
6. When communicating with the LDAP server, it communicates with the certificate at one time when communicating with it, and then it encounters a communication error with the certificate. (opnsense: LDAP bind error (Can't contact LDAP server))

Please tell me your solution

Thanks

mimugmail · « **Reply #8 on:** August 07, 2018, 12:19:00 pm »

Quote from: R on August 07, 2018, 11:06:43 am

Hi
When I was working with OPNsense, I had This Problems:
1. In some cases, the web service is out of service
2. In some cases, during the work, Suricata is out of service
3. Lack of functionality of group's selection button all of rules
4. When SSH is actived on the two interfaces, none of them are actived
5. Despite the rolls have been actived, Suricata calls only its default rolls.
6. When communicating with the LDAP server, it communicates with the certificate at one time when communicating with it, and then it encounters a communication error with the certificate. (opnsense: LDAP bind error (Can't contact LDAP server))

Please tell me your solution

Thanks

Can you open an own thread .. and with some background please?
It's impossible for others to work on your problems with just oneliners.

Author Topic: LDAP groups (Read 7724 times)

iam

LDAP groups

mimugmail

Re: LDAP groups

weust

Re: LDAP groups

innate.ideas

Re: LDAP groups

Jose

Re: LDAP groups

iam

Re: LDAP groups

fabian

Re: LDAP groups

R

Re: LDAP groups

mimugmail

Re: LDAP groups