Hello,
I just updated one of my firewalls to 25.1 and saw, that there have been changes in the way, users are created by LDAP. The autocreation feature together with group sync works in case, the user logs in into the firewall. But what if I don't want the user to be able to use the web interface but only OpenVPN? How do I import the user and add one OTP seed, before he is connecting to OpenVPN for the first time?
Another change: I do not see the user dn from ldap in user details. How can I check, whether the user is local or ldap account?
Regards,
Andreas
Did you solve this? We currently aim to migrate from pfSense Plus and miss this features. Show stopper.
Same here. Any solutions?
Same here.... In my opinion very bad design decision...
I see some blanket statements and support questions and (very) few details. If anyone feels the need to elaborate that would be appreciated.
Cheers,
Franco
As far as I understand with the old implementation administrators would synchronise the LDAP users, then assign certificates, then perform e.g. an OpenVPN client export - all without any action required on the part of the user, neither the admin needing to know the user password.
The users are then handed their individual configurations by the admin without ever interacting with OPNsense logging on to the portal.
I fully see that this would be the preferred workflow in most organisations. It's what we do, too, only we use the same certificate for all clients so I have a single configuration file with embedded certs for everyone.
Quote from: Patrick M. Hausen on April 15, 2025, 08:58:54 AMAs far as I understand with the old implementation administrators would synchronise the LDAP users, then assign certificates, then perform e.g. an OpenVPN client export - all without any action required on the part of the user, neither the admin needing to know the user password.
The users are then handed their individual configurations by the admin without ever interacting with OPNsense logging on to the portal.
I fully see that this would be the preferred workflow in most organisations. It's what we do, too, only we use the same certificate for all clients so I have a single configuration file with embedded certs for everyone.
Exactly....
So, which part is missing, let's talk real world here.. the fancy LDAP browser?
Quote from: franco on April 15, 2025, 12:07:09 PMSo, which part is missing, let's talk real world here.. the fancy LDAP browser?
Yes, the "little" Cloud Icon to get the List of Users from LDAP where you can "select" multiple of them for import to opnsense.
Bulk import is supported via CSV now. The bigger question is why you trust the old importer, but not the system to resolve the query correctly?
Cheers,
Franco
Mh... maybe we curtenly do not really understand how the new workflow has to be done?
In the past when doing user creation for just openVPN-Usage it was as simple as add the user with the icon from the list.
Now you have to create a CSV-File first and then import that. Consider that an export from Active Directory MMC to CSV is not usable as you need to prepare that file so it gets accepted for CSV import in opnsense... the old way in my opinion was far more straight forward. You can teach that even a traini or an non full time admin....
And in old version you could add/import the user, create the cert and export the config file for openvpn... in the new way you need to create or import that user or have the user to logon to opnsense?
On an unrelated note to the issue in this thread, we have added a new user portal to the business edition.
https://docs.opnsense.org/vendor/deciso/userportal.html
When the administrator sets this portal up there are quite some benefits:
- When the user logs into the portal, it will be auto created and assigned the correct group memberships (e.g. when set up with LDAP backends instead of the local authentication backends as described in the docs)
- They can create and save their own OTP token
- They can download their OpenVPN profile which will auto create their user certificate
This means the administrator only has to set this up and write a short document for users during onboarding how they can get their openvpn profile, everything else is controlled via LDAP groups.
Though, this means the user must interact with the user portal.
But the administrator does not need to interact with the firewall anymore at all, only with the LDAP server groups when they create a new user.
> Mh... maybe we curtenly do not really understand how the new workflow has to be done?
Add a new user with the username being the server's CN and that's it. The workflow remains the same.
Cheers,
Franco
Quote from: franco on April 15, 2025, 01:49:48 PM> Mh... maybe we curtenly do not really understand how the new workflow has to be done?
Add a new user with the username being the server's CN and that's it. The workflow remains the same.
Cheers,
Franco
And that is where it simply does not work in 25.4... the user gets never updated from LDAP.....
Well giving a sense of reference I can easily point you to an ongoing discussion here: https://github.com/opnsense/core/issues/8541
Cheers,
Franco
Quote from: franco on April 15, 2025, 01:31:37 PMBulk import is supported via CSV now. The bigger question is why you trust the old importer, but not the system to resolve the query correctly?
One needs to have the user available in OPNsense before one can create the OpenVPN configuration file for that particular user. In most company contexts users simply will not login to a portal or do *anything*. The laptops are set up by the administrator.
- click here for VPN
- click here for Excel
- click here for Outlook
- ...
How to completely configure OpenVPN ready to go for, say, 50 users, done by an admin without any action done by the user? They expect to double click "the VPN", enter their domain password, that's it.
The fact is the importer as it was in 24.7/24.10 didn't help with setting up VPNs or OTPs or other things at all. It was just an LDAP browser with the ability to select a user without typing.
Quote from: franco on April 15, 2025, 02:14:50 PMThe fact is the importer as it was in 24.7/24.10 didn't help with setting up VPNs or OTPs or other things at all. It was just an LDAP browser with the ability to select a user without typing.
Which helped alot when your have 55k Users and you get a list with new VPN-Users to create.... ;-)
Yes, so we are going round in circles are we talking about the heisenuser which is thousands of users at the same time or not... CSV probably saves you a lot of time unless somebody printed those names on paper. You have enough room for human error in any approach to the paper list then. ;)
Cheers,
Franco
Quote from: franco on April 15, 2025, 02:46:57 PMYes, so we are going round in circles are we talking about the heisenuser which is thousands of users at the same time or not... CSV probably saves you a lot of time unless somebody printed those names on paper. You have enough room for human error in any approach to the paper list then. ;)
Cheers,
Franco
Maybe I am not capable to explain this in my not native language... maybe some one else want to jump in to try to explain why this little window was helping a lot and is missed now.... I am out here, cause I am unable to explain this furthermore and will accept that this is not coming back....
Yes, basically I'm trying to understand what essence of this feature was important so as to try and put something similarly helpful back in the existing structure -- just not what was there.
Cheers,
Franco
Quote from: franco on April 15, 2025, 09:46:29 PMYes, basically I'm trying to understand what essence of this feature was important so as to try and put something similarly helpful back in the existing structure -- just not what was there.
Cheers,
Franco
More or less a window in which you can select the users from the LDAP list so that you don't have to "type" them...
But do you really need the window to manually select the users?
Why do they have to be manually selected, did you do a choice here who to import and who to skip?
Would it be the same to just synchronize all users automatically that match the query of the configured LDAP server(s) without an additional window opening up?
Quote from: Monviech (Cedrik) on April 16, 2025, 07:28:01 AMBut do you really need the window to manually select the users?
Why do they have to be manually selected, did you do a choice here who to import and who to skip?
Would it be the same to just synchronize all users automatically that match the query of the configured LDAP server(s) without an additional window opening up?
Sure, but there is no such sync, is it?
No there is not, but from our conversation we want to try to get to know the scope of what is truly needed there.
So it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?
Quote from: Monviech (Cedrik) on April 16, 2025, 08:38:11 AMthe true requirement is an automatic user sync based on the search query of the ldap servers?
Yes, as far as I understand most admins need to create and manage the users (and their VPN settings) on the OPNsense side without any required action on the user's behalf.
Quote from: Monviech (Cedrik) on April 16, 2025, 08:38:11 AMNo there is not, but from our conversation we want to try to get to know the scope of what is truly needed there.
So it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?
Yes, I believe that is the point what is currently missing here....
Yesterday I got a request from one customer where we manage the opnsense for. We don't have any access to their LDAP(Active Directory) beside what is in the opnsense configured to authenticate LDAP for openVPN. Now they have 3 new accounts which they want me to create openVPN-Profiles for.
So how does this work now? I am only the opnsense admin and have no credentials besides what the customer sends me for "Account-Names". This can be the same as SAMAccountName or not. So normally I would now use the import button to get an idea. How does this work today, after the uprade?
Right now you manually create 3 new users where the username matches with the name the users use as their login name in the windows domain, and select the scrambled password checkbox.
Quote from: Monviech (Cedrik) on April 17, 2025, 11:44:59 AMRight now you manually create 3 new users where the username matches with the name the users use as their login name in the windows domain, and select the scrambled password checkbox.
I am sorry, but this does not work as expected. Created the users in opnsense with their "sAMAccountName", created Cert and made openVPN-Profile-Export. Then we import at client and try to connect which just gives "2025-04-23T08:47:39 Warning openvpn user 'user' could not authenticate."
For me it looks like the "link" between the LDAP-User and the local created User never gets updated.
https://forum.opnsense.org/index.php?topic=45606.msg234376#msg234376
with this we can continue to use our old workflow, creating users from LDAP/AD for OpenVPN.
but in fact it just creates the users from LDAP as users in opnsense as Cedrik wrote, so there might be a problem like you create them, @itngo
Quote from: Monviech (Cedrik) on April 16, 2025, 08:38:11 AMSo it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?
Any idea when and if this will be implemented?
No info and there is no ticket on github describing the exact issue that needs to be solved.
Essentially a user does not have to exist in the user manager, the authentication also works if the user does not exist in there.
For OpenVPN the only requirement is a certificate with the username in the CN, and that can be created without needing a user.
Only if 2FA comes into play the user must exist literally in the users.
Theres also the new user portal in the business edition that automates even certificate creation if a user logs in there.