OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: hboetes on January 04, 2019, 01:30:39 pm

Title: Freeipa LDAP authentication HOWTO.
Post by: hboetes on January 04, 2019, 01:30:39 pm

We have a FreeIPA server for authentication and to allow group members of sysadmins and firewallobservers to access via LDAP I proceeded like this:

• Import the FreeIPA CA if you didn’t already, it’s probaby on your worstation over here:/etc/ipa/ca.crt
• Create a user in Freeipa: opnsense, with a strong password
• Create a group firewallobservers and add the right users to this group, I already had a sysadmin group.
• In opensense: System → Access → Add a server like in the screenshot, always use the full LDAP account names, with the FQDN.
• In the extended query you can decide which groups have access to the firewall: Since it’s hard to read:
  

  |(memberof=cn=systemadministration,cn=groups,cn=accounts,dc=example,dc=com)(memberof=cn=firewallobservers,cn=groups,cn=accounts,dc=example,dc=com)

  
  

(http://freeipa_opnsense.png)

After that you can go to testers and check if everything works. If that works you can go to users and press the cloud button at the right to import the FreeIPA users. Add them to the right groups and Bob’s your uncle.  8)

If there is anything unclear, please let me know and I’ll improve this How-to.

Title: Re: Freeipa LDAP authentication HOWTO.
Post by: franco on January 06, 2019, 09:22:56 pm

Cool, thanks for this! <3

Title: Re: Freeipa LDAP authentication HOWTO.
Post by: TaceN on January 18, 2019, 11:54:52 pm

thanks!

Title: Re: Freeipa LDAP authentication HOWTO.
Post by: gilvanio on May 12, 2023, 10:47:19 pm

As a suggestion, to increase security, create a system user in freeipa that has read-only permission and the password does not expire in 90 days

1 - Create a file

]# vim opnsense-binddn.update

add content :

dn: uid=opnsense_bind,cn=sysaccounts,cn=etc,dc=example,dc=local
default:objectclass:account
default:objectclass:simplesecurityobject
default:uid:opnsense_bind
only:userPassword:o9gkUeQNnRexPJrbFNZGC3szN
only:passwordExpirationTime:20380119031407Z
only:nsIdleTimeout:0

2 - run the command to create the user
]# ipa-ldap-updater opnsense-binddn.update
update complete
The ipa-ldap-updater command was successful

Title: Re: Freeipa LDAP authentication HOWTO.
Post by: hboetes on May 15, 2023, 07:42:30 am

Thanks for the excellent addition, gilvanio!