Messages

So it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?

Any idea when and if this will be implemented?

Right now you manually create 3 new users where the username matches with the name the users use as their login name in the windows domain, and select the scrambled password checkbox.

I am sorry, but this does not work as expected. Created the users in opnsense with their "sAMAccountName", created Cert and made openVPN-Profile-Export. Then we import at client and try to connect which just gives "2025-04-23T08:47:39   Warning   openvpn   user 'user' could not authenticate."

For me it looks like the "link" between the LDAP-User and the local created User never gets updated.

Yesterday I got a request from one customer where we manage the opnsense for. We don't have any access to their LDAP(Active Directory) beside what is in the opnsense configured to authenticate LDAP for openVPN. Now they have 3 new accounts which they want me to create openVPN-Profiles for.

So how does this work now? I am only the opnsense admin and have no credentials besides what the customer sends me for "Account-Names". This can be the same as SAMAccountName or not. So normally I would now use the import button to get an idea. How does this work today, after the uprade?

No there is not, but from our conversation we want to try to get to know the scope of what is truly needed there.

So it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?

Yes, I believe that is the point what is currently missing here....

But do you really need the window to manually select the users?
Why do they have to be manually selected, did you do a choice here who to import and who to skip?

Would it be the same to just synchronize all users automatically that match the query of the configured LDAP server(s) without an additional window opening up?

Sure, but there is no such sync, is it?

Yes, basically I'm trying to understand what essence of this feature was important so as to try and put something similarly helpful back in the existing structure -- just not what was there.


Cheers,
Franco

More or less a window in which you can select the users from the LDAP list so that you don't have to "type" them...

Yes, so we are going round in circles are we talking about the heisenuser which is thousands of users at the same time or not... CSV probably saves you a lot of time unless somebody printed those names on paper. You have enough room for human error in any approach to the paper list then.  ;)


Cheers,
Franco

Maybe I am not capable to explain this in my not native language... maybe some one else want to jump in to try to explain why this little window was helping a lot and is missed now.... I am out here, cause I am unable to explain this furthermore and will accept that this is not coming back....

The fact is the importer as it was in 24.7/24.10 didn't help with setting up VPNs or OTPs or other things at all. It was just an LDAP browser with the ability to select a user without typing.

Which helped alot when your have 55k Users and you get a list with new VPN-Users to create.... ;-)

> Mh... maybe we curtenly do not really understand how the new workflow has to be done?

Add a new user with the username being the server's CN and that's it. The workflow remains the same.


Cheers,
Franco

And that is where it simply does not work in 25.4... the user gets never updated from LDAP.....

Mh... maybe we curtenly do not really understand how the new workflow has to be done?

In the past when doing user creation for just openVPN-Usage it was as simple as add the user with the icon from the list.
Now you have to create a CSV-File first and then import that. Consider that an export from Active Directory MMC to CSV is not usable as you need to prepare that file so it gets accepted for CSV import in opnsense... the old way in my opinion was far more straight forward. You can teach that even a traini or an non full time admin....

And in old version you could add/import the user, create the cert and export the config file for openvpn... in the new way you need to create or import that user or have the user to logon to opnsense?

So, which part is missing, let's talk real world here.. the fancy LDAP browser?

Yes, the "little" Cloud Icon to get the List of Users from LDAP where you can "select" multiple of them for import to opnsense.

As far as I understand with the old implementation administrators would synchronise the LDAP users, then assign certificates, then perform e.g. an OpenVPN client export - all without any action required on the part of the user, neither the admin needing to know the user password.

The users are then handed their individual configurations by the admin without ever interacting with OPNsense logging on to the portal.

I fully see that this would be the preferred workflow in most organisations. It's what we do, too, only we use the same certificate for all clients so I have a single configuration file with embedded certs for everyone.

Exactly....

Same here.... In my opinion very bad design decision...

Mh... so how do I get my LDAP-Users now into opnsense without having the password of the users to prepare their openVPN-Access?
Look like some hazzle to me which was not expected. It is a normale case to import useres to prepare their PC for HomeOffice without having the users password. In the past this was no issue... now this is not possible anymore withoud export import something to csv? Am I right about this?

And only with BE Subscription....