OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: horides on March 27, 2018, 04:01:30 pm

Title: OPNSense - integration SSHD, SUDO, CONSOLE, GUI + Active Directory or OpenLDAP
Post by: horides on March 27, 2018, 04:01:30 pm
 I have long been researching about SSHD and Active Directory or LDAP integration in Opnsense, I see many other people having difficulties applying this solution, I have tried to apply with the NSLCD and SSSD service and there are always problems with bugs or handling of bad errors. I found several tutorials not very reliable or people with the same problem but receiving few answers, so I decided to open a topic related to this subject, because I see as an extreme need to integrate the SSHD + AD or LDAP services for the OPNSense solution, since it already exists plugin to integrate authentication for web interface working perfectly, however for authentication to the OS, there is no functional How To on the internet.

Thank you for your cooperation.
Title: Re: OPNSense - integration SSHD, SUDO, CONSOLE + Active Directory or OpenLDAP
Post by: horides on April 06, 2018, 12:56:52 pm
 After several attempts to integrate with services as SSSD, NSLCD, PAM_LDAP using version OPNSense 16.7.5, I discovered that from version 17.1 a PAM library (pam_opnsense.so) was developed by the OPNSense project which allows the integration of authentications for the services sudo, ssh, Console and GUI synchronized to OpenLDAP or Active Directory, this option is in System >> Administration >> "Integrated authentication (Disable integrated authentication)", and must to keep unchecked so that there is integration of authentication between services.
 It has now become much easy and more functional to synchronize OPNSense to OpenLDAP or Active Directory, following two steps:

1 - Configure OPNSense synchronization with OpenLdap or Active Directory in the System >> Access >> Server option

"Descriptive name"                    = ActiveDirectory
"Type"                                      = LDAP
"Hostname or IP address"          = <IP Domain Controller>
"Port value"                              = <389 or 636 for SSL>
"Transport"                               = <TCP, StartTLS or SSL)
"Peer Certificate Authority"        = <If you use certificate for access to ActiveDirectory or OpenLDAP you must add it here>
"Protocol version"                      = <hold 3, because LDAP 3 is compatible with LDAP 2>
"Bind credentials User DN:"        = <User for Active Directory Access, Example:  CN=<username>, U=Users, DC=example-dev, DC=local>
                         "Password:"     = <UserDN Password>
"Search scope"                          = <define how deep to search within the search base: Use "Entire Subtree">
"Base DN" = <DC=example-dev, DC=local>
"Authentication containers"          = <Defines from which OU the Users will be imported, Example: OU=Users, DC=example-dev, DC=local >
"Extended Query"                        = <Here you can define a Query allowing the import of Users that belong to a group. example: & (memberOf = CN = AnyGroup, OU = Groups, DC = example-dev, DC = local)>
"User naming attribute"               = <sAMAccountName or uid or cn>

Import the users to OPNsense in the "System >> Access >> Users" on the icon ""import users"

2 - Leave the option in System >> Administration >> "Integrated authentication (Disable integrated authentication)" unchecked.

Now you can access the sudo, ssh, console, GUI services with the credentials of the OpenLdap or Active Directory users.

Best Regards,
Horides Junior
Title: Re: OPNSense SSHD + Active Directory or OpenLDAP
Post by: elektroinside on April 06, 2018, 01:07:36 pm
Very nice, well done!
Title: Re: OPNSense - integration SSHD, SUDO, CONSOLE + Active Directory or OpenLDAP
Post by: iam on July 21, 2018, 04:07:53 pm

Import the users to OPNsense in the "System >> Access >> Users" on the icon ""import users"


Where can I find this icon in 18.7.r2?
Title: Re: OPNSense - integration SSHD, SUDO, CONSOLE, GUI + Active Directory or OpenLDAP
Post by: iam on July 23, 2018, 08:47:11 pm
Interesting. The symbol is only shown if I only use the LDAP server as authentication service. But after re-adding the local database to the list of authentication services I can use local and LDAP users.