I want to use multiple LDAP servers. Creating a second LDAP server is no problem. I want to transfer a number of users to this second LDAP service but I don't see the option in the User screen, the "User distinguished name" field cannot be changed and the import function only shows the Users in the first created LDAP server where I would at least expect the question from which LDAP server the import is desired from, just like on the tester page. On the tester page I can address the second LDAP server with the correct result.
Does anyone know if this is possible and/or if I am overlooking something?
if i understad it right, not at this moment.
https://github.com/opnsense/core/blob/master/src/www/system_usermanager_import_ldap.php
php takes first ldap-server in array and try to take users from there
try to remove first server from System-Settings-Administration-Auth Server and start new import
Thanks for your answer and suggested work around. This sadly won't work in my case as I only need to move a few users to another LDAP server. I'm afraid while removing the first LDAP server it also will break all existing user connections like currently being used in VPN.
should not. vpn has its own settings for authentication servers. but if you are afraid, you can change the order of the servers in /conf/config.xml (make backup before) file in <system>-><webgui>-><authmode> section. php will catch first server in the list of servers and let you import your users
Thanks, I'll try that...
Sadly that does not work. The order in the tester pull down as well as the 'Backend for authentication' pull down does reflect the change by changing the order in /conf/config.xml. But this change does not reflect the 'import' function under System: Access: Users. Here the prior first listed still shows up, so it hasn't changed with changing the order in config.xml and my added second LDAP server is still unavailable for import.
its strange. i have tested this before posting..
i will try again
checked again. working!
are you sure you changed the order in the <webgui> section and not in <openvpn><openvpn-server> section of config.xml?
Yes I did change the order in the <webgui> section but behavior is like I've stated before. Even rebooted the machine to be sure although it seem to me that the script is directly executed. Thanks for your efforts anyway...
I don't know what to say and offer
you say
Quotee 'Backend for authentication' pull down does reflect the change by changing the order
but openvpn server php-page does not read <webgui> part of config
for server list it reads <authserver> parts
https://github.com/opnsense/core/blob/master/src/www/vpn_openvpn_server.php
https://github.com/opnsense/core/blob/master/src/etc/inc/auth.inc
and changing the order of servers in <webgui> should not affect the order of display in openvpn server config page
so i'm confused
What I had missed is the Authentication section under <Settings> -> <Administration>. Now I've added the second LDAP server here as well and now I'm able to swap between the two by swapping the order of the LDAP servers in config.xml. Moreover I found also that changing the <user_dn> under <users>, of those I wanted to move to the second LDAP server, to the appropriate user_dn. Checking the OpenVPN log confirms that these are now authenticated against the second LDAP server. So there was no need to delete the first LDAP server and everything works now as planned. Hopefully that solves your confusion.
Of course it would be nicer to first have a selection window of which LDAP server to consult, whenever multiple LDAP servers are defined, prior to the <system_usermanager_import_ldap.php> window instead of having to edit the config.xml file manually.
QuoteWhat I had missed is the Authentication section under <Settings> -> <Administration>..Hopefully that solves your confusion.
yes ;D
thanks
Anyone know if there's plans on resolving the import issue? We use multiple LDAP servers for authentication across different Active Directory domains and need the ability to import without jumping through hoops.
imho, need to create a FR for this (I think it would be a useful feature)
Hastily tried small changes (see attachments). seems to work.