Using Active Directory for Authentication

[mikeisfly]

Hello all, I am coming from PfSense where I had my box authenticating against my Domain Controller using Active Directory. I have it essentially following this guide https://forum.pfsense.org/index.php?topic=44689.0. I created the group on the box and assigned the privileges I wanted the group to have but when I log in I get the message that the user has no page has been assigned. When I use the tester, the users are authenticating correctly. I am using the current version  16.1.2 64bit. It is like the group of the user logging in is not being passed back to OPNSENSE, any help would be appreciated.


Thanks,

[mikeisfly]

Just as another data point, if I create the user on the box and add them to the group I created with access to log in, then I can log in no problem. It is authenticating against AD because I purposely made the password different on the OPNSense database and it will not let me log in with that password. Seems to me create the user on my OPNSense box when the user is already created in AD seems like double work. Is this the expected behavior?

[weust]

Only a home user here, so I kept it simple for myself.
I selected the Domain Admins under Authentication Containers in System:Access:Servers eq "OU=Domain Admins,DC=weust,DC=local" (without the quotes, since you can browse it).

Perhaps use a AD Global Group instead of a box group?

[mikeisfly]

Only a home user here, so I kept it simple for myself.
I selected the Domain Admins under Authentication Containers in System:Access:Servers eq "OU=Domain Admins,DC=weust,DC=local" (without the quotes, since you can browse it).

Perhaps use a AD Global Group instead of a box group?

Thanks this didn't work for me. So the way you did it you didn't have to create a local yours on your OPNSense box correct corresponding to the domain account? That is what I'm trying to avoid doing if possible.

[weust]

I do have a user on the OPNsense box that is connected to my AD.
But it's been so long I can't remember exactly how I did it.

I'd have to create a new user in my AD and set that up in OPNsense to figure out how exactly I got it to work...

[mikeisfly]

I do have a user on the OPNsense box that is connected to my AD.
But it's been so long I can't remember exactly how I did it.

I'd have to create a new user in my AD and set that up in OPNsense to figure out how exactly I got it to work...

Yes I have it working this way. I'm looking to use only my AD to authenticate the user without having to duplicate the username on the local box. This is how it works in PfSense today.

[weust]

This isn't pfSense ;-)
Maybe a dev can clarify, but I believe it's not yet possible atm.

And check on IRC as well.

[AdSchellevis]

OPNsense doesn't synchronize groups, some more information on how it works in our product can be found in the original issue https://github.com/opnsense/core/issues/266.
There is an easy import available to copy the remote users to the firewall.

Services that only require an authentication (and no connected ACL's) generally don't need the user synchronized.

[mikeisfly]

This isn't pfSense ;-)
Maybe a dev can clarify, but I believe it's not yet possible atm.

And check on IRC as well.

Didn't mean to offend, I'm just checking out the project and just wanted to know the nature of the authentication.
Thanks everyone for the info.

[AdSchellevis]

I don't think anybody is offended
Your absolutely welcome, asking questions is what the forum is for.