OPNsense Forum

English Forums => General Discussion => Topic started by: iam on July 26, 2018, 09:06:48 am

Title: LDAP groups
Post by: iam on July 26, 2018, 09:06:48 am
Hi,

I want to use my LDAP groups on OPNsense to give rights on it. This was possible with pfSense. So it would be very nice if this feature could be reimplemented.

Cheers,
iam

Some links:
https://forum.opnsense.org/index.php?topic=4729.0
https://github.com/opnsense/core/issues/360
Title: Re: LDAP groups
Post by: mimugmail on July 27, 2018, 03:48:39 pm
Do you want it for VPN or device authentication?
Title: Re: LDAP groups
Post by: weust on July 27, 2018, 06:12:56 pm
Don't limit to just specific services, make it available to whatever service can do LDAP/AD authentication.
And of course users of the OPNsense box it self.
Title: Re: LDAP groups
Post by: innate.ideas on July 28, 2018, 08:09:48 am
If this is being considered, please make it simple to not install the related LDAP/AD software. I personally would prefer OPNsense not become an easy target for lateral movement by bad guys. AD access to administrative access on OPNsense would open the network firewall and IPS to compromise once the bad guys have popped AD internally.
Title: Re: LDAP groups
Post by: Jose on July 29, 2018, 05:51:13 am
I agree with post #3, perhaps as an outboard plugin as usual, so is up to the user to add risky and/or unrelated to firewall functionality, plus avoid bloatware.
Title: Re: LDAP groups
Post by: iam on July 30, 2018, 08:05:19 pm
I also agree with post #3. And I don't think that the usage of LDAP groups makes the firewall insecure.
Title: Re: LDAP groups
Post by: fabian on July 30, 2018, 08:42:16 pm
It isn't LDAP which is insecure. The problem are protocols allowing a pass the hash or relaying attacks such as https://en.wikipedia.org/wiki/SMBRelay
Title: Re: LDAP groups
Post by: R on August 07, 2018, 11:06:43 am
Hi
When I was working with OPNsense, I had This Problems:
1. In some cases, the web service is out of service
2. In some cases, during the work, Suricata is out of service
3. Lack of functionality of group's selection button all of rules
4. When SSH is actived on the two interfaces, none of them are actived
5. Despite the rolls have been actived, Suricata calls only its default rolls.
6. When communicating with the LDAP server, it communicates with the certificate at one time when communicating with it, and then it encounters a communication error with the certificate. (opnsense: LDAP bind error (Can't contact LDAP server))

Please tell me your solution

Thanks
Title: Re: LDAP groups
Post by: mimugmail on August 07, 2018, 12:19:00 pm
Hi
When I was working with OPNsense, I had This Problems:
1. In some cases, the web service is out of service
2. In some cases, during the work, Suricata is out of service
3. Lack of functionality of group's selection button all of rules
4. When SSH is actived on the two interfaces, none of them are actived
5. Despite the rolls have been actived, Suricata calls only its default rolls.
6. When communicating with the LDAP server, it communicates with the certificate at one time when communicating with it, and then it encounters a communication error with the certificate. (opnsense: LDAP bind error (Can't contact LDAP server))

Please tell me your solution

Thanks

Can you open an own thread .. and with some background please?
It's impossible for others to work on your problems with just oneliners.