1
17.1 Legacy Series / LDAP/Active Directory groups
« on: March 07, 2017, 05:03:24 pm »
I've been using pfSense for a very long time, but OPNSense caught my attention after the developers at pfSense started changing a few key features.
I've had Active Directory integration working for a couple years in pfSense. I believe I have it sort of working in OPNSense, but it seems like the paradigm for LDAP authentication is slightly different for OPNSense. In broad terms, I seem to be able to authenticate with it, but I don't quite understand the changes in how it's working.
First, it doesn't seem to recognize AD groups. On my pfSense box, I have a group named "pfAdmins." In AD, I also have a group named "pfAdmins." I might have done something else to "link" those two groups, but if I did, I don't recall what it was. At any rate, I can put Windows users into the Active Directory pfAdmins group, and when they authenticate to pfSense, they're in that group. I also have a VPNUsers group in Windows, which passes through nicely to the OpenVPN server in pfSense. Ultimately, I would like to assign permissions based on Windows groups, so I don't have to administer two different sets of users.
The "import users" feature seems new. In pfSense, there were no AD users in the local database. I understand why there would be advantages to having local users, most notably the ability to create individual user certificates for them. (My pfSense box authenticates using LDAP, but uses only a server certificate for encryption.) If users are required to be imported, is it there a command where this operation can be scripted from time to time?
That brings me to the last question: I currently authenticate for two different purposes:
1) Appliance administration
2) VPN Authentication
The admin users in my domain use a different account, in a different OU, for admin purposes. I've set the authentication containers for the LDAP to include only the "Employees" container and the "Admins" container. I've also tried using extended queries to limit to only &(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com), but when I click on the "import users" button, it seems to pull non-person objects from outside of those two containers. If I were to automate user import, those filters would need to work correctly.
I fully admit that I don't have the best grasp on LDAP querying, and that maybe I'm not even in the correct mindset, but is there anything glaringly incorrect about what I'm trying to do?
Thanks in advance!
I've had Active Directory integration working for a couple years in pfSense. I believe I have it sort of working in OPNSense, but it seems like the paradigm for LDAP authentication is slightly different for OPNSense. In broad terms, I seem to be able to authenticate with it, but I don't quite understand the changes in how it's working.
First, it doesn't seem to recognize AD groups. On my pfSense box, I have a group named "pfAdmins." In AD, I also have a group named "pfAdmins." I might have done something else to "link" those two groups, but if I did, I don't recall what it was. At any rate, I can put Windows users into the Active Directory pfAdmins group, and when they authenticate to pfSense, they're in that group. I also have a VPNUsers group in Windows, which passes through nicely to the OpenVPN server in pfSense. Ultimately, I would like to assign permissions based on Windows groups, so I don't have to administer two different sets of users.
The "import users" feature seems new. In pfSense, there were no AD users in the local database. I understand why there would be advantages to having local users, most notably the ability to create individual user certificates for them. (My pfSense box authenticates using LDAP, but uses only a server certificate for encryption.) If users are required to be imported, is it there a command where this operation can be scripted from time to time?
That brings me to the last question: I currently authenticate for two different purposes:
1) Appliance administration
2) VPN Authentication
The admin users in my domain use a different account, in a different OU, for admin purposes. I've set the authentication containers for the LDAP to include only the "Employees" container and the "Admins" container. I've also tried using extended queries to limit to only &(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com), but when I click on the "import users" button, it seems to pull non-person objects from outside of those two containers. If I were to automate user import, those filters would need to work correctly.
I fully admit that I don't have the best grasp on LDAP querying, and that maybe I'm not even in the correct mindset, but is there anything glaringly incorrect about what I'm trying to do?
Thanks in advance!