Hi folks,
after i updated my Opnsense and got in touch which the new LDAP method i got confused. My setup is strictly with TOTP so i have my LDAP server + TOTP setup with a Extended Query that searches all my users with the VPN group name, all right and fine with the manual import from 24.x. Now i have the issue that i have the same setup edited so i enabled Read properties and Sync Groups but i have the same local users that aren't associated with the LDAP and a new user only pops up if i have a copy of the Auth Server settings without the TOTP. The new user also only is created if i try to log in with him over the Auth Tester. Is there something im missing? how often are the useres queryed from the LDAP? Does a user have to log in to the Firewall manualy so a account is created?
Thx
https://forum.opnsense.org/index.php?topic=45460.0
QuoteMigration notes, known issues and limitations:
o The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.
QuoteThe manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option.
But how does the on demand creation work? is ist queryed? or is it event based? and is there a way do map old users or at least auto create new users.
TOTP setup was never automatic. There is a self-service option for TOTP token generation. It requires the user to log in via LDAP authentication (no TOTP set up yet) and then they can (re)generate their token. On the first login the user account will be created of course, no admin necessary.
Cheers,
Franco
Well TOTP was never automatic but my Pain point is that a user has to actively try to log in to the OpnSense so i as a Administraitor can create the TOTP seed and generate the Certificate for them. With the old way i could do everything without the user even interact with system.
So to be clear: I need the user to log in for it to create a LDAP synced account just so i can set up the TOTP Seed and Certificate?
You can also create the user manually. E.g.:
dn => CN=test-user,CN=Users,DC=ad,DC=example,DC=com
Go to System: Access: Users
Press + to create a new User
Username: test-user
Scrambled Password: X
You can also create the OTP token at the same time.
Alternatively, the new user Manager is REST API enabled, you could do things like:
- Create a script on your Active Directory Domain Controller or OpenLDAP server, that creates the user, otp token, openvpn profile etc... during onboarding.
Just bring back the importer or similar tool.... I just want to create the users for our openvpn. Now it is not possible.
I'm also a bit confused how this is supposed to work.
Previously, it was straightforward (in my opinion) you could simply import the user(s) and then link an OTP to each one.
Now, when I migrate, what happens?
Are the users and all associated OTPs:
Deleted?
Converted to "local DB"?
Additionally, how can I automatically import users?
I wasn't able to get this working using the "Automatic user creation" function.
The import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.
Cheers,
Franco
ok, but the importer saved a lot of time :-|
Like I wrote above, the new User Manager is API enabled.
You can write a Powershell script for example that will:
- Create the Active Directory user
- Create the same user in the OPNsense using the REST Api
- Create the OTP Token, retrieve it and serialize it in the Active Directory User Object under the comment
- Create the OpenVPN Profile, download the certificate and OpenVPN Profile
It can all be automated now, you can save loads of time.
With the current capability of AI tools that excel in scripting, writing a script like that can be done by almost anybody with a plan.
Quote from: franco on February 06, 2025, 07:41:25 AMThe import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.
Cheers,
Franco
Ah, the "match the CN on the LDAP" was a point that wasn't entirely clear to me.
After the update, there is no longer a visible difference between local and AD-imported users.
I was able to test it successfully now, thanks :)
Hi, I tried to create a PowerShell script as Cedrik suggested, but I struggle.
As I never worked with the API commands before, I read the API documentation and did some exercises.
For testing purposes, I created a bash script with a curl command:
API_KEY="my Api key"
API_SECRET="my api secret"
# Base64 encode credentials
ENCODED_CREDENTIALS=$(echo -n "$API_KEY:$API_SECRET" | base64)
curl -k -v "https://opnsense-ip/api/auth/user/add" \
-u "$API_KEY:$API_SECRET" \
-H "Content-Type: application/json" \
-d '{
"username": "test",
"password": "securepassword123",
"group_memberships": ["admins"]
}'
but this returns a "failed" message.
My intention is to enable the MS AD users for OpenVPN and of course it would be great if I delete one AD user,
the OpenVPN "dial in" for this user is deleted as well. Perhaps I am completely on the wrong track.
I am happy for any kind of hints.
https://github.com/opnsense/core/issues/8340
Hi @all,
we operate a site network with about 30 opnsense devices and about 300 OpenVPN users. We regret the lack of an LDAP importer – that worked well for us (including manual addition of an OTP).
I have the following questions:
(1) with the new process, is it intended that the user account (without OTP) is synchronised from the LDAP server to the opnsense at the moment the user logs on to the manage GUI of the relevant opnsense?
If so, are there any example configurations for this? Our tests have not been successful so far - unless the user was previously created locally on the Opnsense (GUI).
But that is not practical for 300 users. If each user only had to log in to the portal once, that would not be a problem and would be a good solution.
(2) is there a way to import LDAP accounts to the opnsense outside of API scripts? Is this option planned for the future?
Quote from: Schubert on March 10, 2025, 06:40:50 PMHi @all,
we operate a site network with about 30 opnsense devices and about 300 OpenVPN users. We regret the lack of an LDAP importer – that worked well for us (including manual addition of an OTP).
I have the following questions:
(1) with the new process, is it intended that the user account (without OTP) is synchronised from the LDAP server to the opnsense at the moment the user logs on to the manage GUI of the relevant opnsense?
If so, are there any example configurations for this? Our tests have not been successful so far - unless the user was previously created locally on the Opnsense (GUI).
But that is not practical for 300 users. If each user only had to log in to the portal once, that would not be a problem and would be a good solution.
(2) is there a way to import LDAP accounts to the opnsense outside of API scripts? Is this option planned for the future?
Well, this was a slap on my face ...
I also wish to know the solution for the above question, since I have a very large +100 AD users in sync with one of the OPNSense.
Thanks in advance.
JG
Quote from: franco on February 06, 2025, 07:41:25 AMThe import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.
Cheers,
Franco
Trying to create the below user based on the AD info:
dn => CN=Jorge Gomes,OU=users,OU=office365,OU=Sede,DC=sample,DC=xpto
on the input field for the username, if I put 'Jorge Gomes' it says that 'must contain alphanumeric characters or a valid email', so it's not accepting the CN for the user, the samaccountname => jgomes.
You had a good solution with the import utility, but you made this more complex for most of us ...
So, how should I create a user on the OPNSense?
Thanks.
JG
-- Tested the following ---
On the GUI, I created the user with the following data:
username: jgomes
pwd: ticked the scrambled box
full name: Jorge Gomes
On the users list, clicked the 'search certificates by the username', gave me a empty result but I clicked the '+' and that opened a box to create the certificate for the user, with t common name as the user name, and then after saving it, it was then mapped to the user.
After going to VPN-Client Export and exporting the OPVPN config, I imported on my client and logged in with the username and PW from the AD user, Remember that I created the user with a 'scrambled' password, and it logged.
So I guess it's working ...
Can you validate this quick steps??
Thanks in advance.
Franco posted a github link where you can Import users from csv. I think in this ticket is also a PS command to export ad users to csv
The CSV import/export for users was released today in 25.1.3.
for whomever may be interested ... we implemented the ldap sync in our ansible role vor opnsense
https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense/wiki/ldapsync
maybe this can be of some help for someone, otherwise pls just ignore it
Mh... so how do I get my LDAP-Users now into opnsense without having the password of the users to prepare their openVPN-Access?
Look like some hazzle to me which was not expected. It is a normale case to import useres to prepare their PC for HomeOffice without having the users password. In the past this was no issue... now this is not possible anymore withoud export import something to csv? Am I right about this?
I had the same concerns about the lack of user import from LDAP until I came across this link in one of the threads (BE Only):
OPNsense User Portal (https://docs.opnsense.org/vendor/deciso/userportal.html)