Good morning,
I have a problem with LDAP.
I configured an LDAP server (Microsoft AD) on OPNsense and imported the users.
The problem is that when I add a new user on the LDAP server, I don't find it in the list of users that can be imported from OPNSense. A sync is missing!!!
Is there a method or command to run to force synchronization?
Thank you all for your help.
Nicholas
me too;/ I don't have idea why.
I also need to periodically click the import button, so OpenVPN users can connect.
Would be nice be able to automatically sync users.
Any CLI command perhaps ?
Wait ... LDAP authentication does not authenticate live and dynamically?
AFAIK as I took my config, no.
Setup with 'Automatic user creation' and 'synchonize groups', but this seems only to work when trying to auth directly on the firewall, not when trying to connect via OpenVPN with LDAP support.
Perhaps I am wrong (I would love to) ?
Okay, I actually retried my whole config.
Automagic user creation from LDAP when connecting to OpenVPN works, unless you set "Enforce local group" in OpenVPN config like I did.
So this is basically a security issue, since if I remove a LDAP user from a let's call it "VPN GROUP" on the LDAP server, the user still can connect, since the user already exists on OPNSense.
I have setup an extended query like `&(memberOf:1.2.840.113556.1.4.1941:=CN=VPN GROUP,DC=domain,DC=local)(objectCategory=person)` but still can connect to OpenVPN once I've removed a user from the ldap "VPN GROUP".
[EDIT] After removing the recursive ldap attribute for memberOf, adding / removing users from VPN GROUP limits it's ability to VPN connect like it should. [/EDIT]
Quote from: deajan on February 22, 2024, 06:37:08 PMOkay, I actually retried my whole config.
Automagic user creation from LDAP when connecting to OpenVPN works, unless you set "Enforce local group" in OpenVPN config like I did.
So this is basically a security issue, since if I remove a LDAP user from a let's call it "VPN GROUP" on the LDAP server, the user still can connect, since the user already exists on OPNSense.
I have setup an extended query like `&(memberOf:1.2.840.113556.1.4.1941:=CN=VPN GROUP,DC=domain,DC=local)(objectCategory=person)` but still can connect to OpenVPN once I've removed a user from the ldap "VPN GROUP".
[EDIT] After removing the recursive ldap attribute for memberOf, adding / removing users from VPN GROUP limits it's ability to VPN connect like it should. [/EDIT]
How do you autorize to create a user on openvpn?
Do you have a password for the account? And the .ovpn configuration itself must be from that user.