LDAP user import not working with multiple LDAP servers

[J-Psy]

Hello,

I'm trying to configure the following : I want to allow users from an active directory to connect to the network with SSL VPN. These users should use MFA with username/password and TOTP. I also want to match these users with some AD security group so that they will have network accesses restricted to the ones defined for their belonging group ( i.e : one access for admins, allowing all networks, one access for the users only allowing SMB to the filer... that king of stuff)

So far, I did the following :
- Added to access servers, type LDAP + TOTP, with "Extended Query" : &(memberOf=DN_of_the_AD_group_used_as_filter), read properties and synchronize groups option checked

- Created 2 OpenVPN servers, each one using one of the 2 access server as backend, and each one with a different IPv4 Tunnel Network. This way I can have the users connect from different subnets accordingly to their group belonging and define my firewall rules adapted to their profile.

- To generate the OTP Seed to the users, I need to import them on the forewall. To manage that, I went to the System -> Settings -> Administration menu and added my two authentication servers in the server list. Once I did that, the little cloud icon appeared on the Users menu to import the LDAP users. The issue is that is only retrieves the user from the first LDAP server defined in the settings/administration menu. This means if I remove the first server from the list, then the import shows me the users from the second server. But if I had both, it only show the users from the first server. When I import it it works but how can I manage to have both server's users to be imported ?

Is there any reason explaining this behaviour ? Maybe there is a better way to do what I want to configure. I'm new to OPNsense so I might not use the right methods.

Thank you for your help !

[zerwes]

https://github.com/opnsense/core/issues/4963are the ldap servers in fact the same and you just need different users for different scopes?

[J-Psy]

Hi,

Thanks for your reply. Yes, that's exactly it and it behaves just like in the link you provided.

The trick mentionned in it won't do it for me though.

The trick I found so far is to first import the users from the first access server, then unselect it from the administration settings authentication servers, so that only the second one is left, then launch the import again, import the other users, and go back to the administration settings to enable both again.

But it's a bit laborious.

[zerwes]

I think that these are issues where the core opnsense team would appreciate some support from the community...
I have the ldap import issue on my agenda, but I simply find no time, as "the light on the end of the tunnel is switched off due to heavy work overload" :-(
Maybe some crowdfunding per topic for special opnsense features would be a good idea ... I know similar approaches  from other open source projects in the past ... but that is beyond the topic of this issue

[AdSchellevis]

You don't need to import users nowadays, just make sure to properly configure "Automatic user creation" and "Synchronize groups" to pull in users and group assignments then check "User OTP seed" in System->Settings->Administration for self-service (in which case you will need to configure you're ldap service twice, one without totp for self-service, one with totp for vpn).

When using the business edition, non existing users will also be removed periodically (https://docs.opnsense.org/manual/how-tos/user-ldap.html#step-4-import-users)

Best regards,

Ad

[zerwes]

A, thank you AdSchellevis for pointing me at this, the new settings passed my attention, while updating to 2.10.

[J-Psy]

Hi AdSchellevis,

Thank you for your feedback. Sorry but I'm not sure to fully understand your solution. I did indeed configured the "Automatic user creation" and "Synchronize groups".

From my understanding, it seems that for the "synchronize groups" option to work, you need to create a local group matching the CN of the AD group. So I did this, and I also then added these local VPN Groups to the user OTP Seed field in the System -> Settings -> Configuration menu, as you mentionned.

But I don't know where to go from here... How can I generate the OTP Seed for the users ? I tried putting a manual key into the google authenticator app (instead of the QR Code) but the connection is not working.

Thus, I never managed to create a connection without user certificates ( I wrote another post about this) so I'm not sure if this is the same issue or something wrong with the LDAP+TOTP configuration.
The one thing I find strange is that my local groups don't seem to be populated (the member count is still at 0). If they were synchronized, I would think that the members count would grow up, so I'm affraid I did not configure it correctly.