Author Topic: LDAP set up problems (Read 2530 times)

alsoeric · « **on:** December 08, 2023, 02:26:58 am »

[edited to clear up my poorly worded description of testing]

My goal is to create an opnsense user account and generate openVPN credentials from LDAP . Our LDAP service is provided by jumpcloud. I followed the instructions (https://docs.opnsense.org/manual/how-tos/user-ldap.html) to connect to the LDAP server. It appears that everything is set up correctly, but the test interface (System >> Access >> Tester) says my authentication credentials are wrong. however it does not indicate if the wrong credentials are for the ldap connection or the username/password I've entered. I ran an ldapsearch on opnsense and it returned the expected results

command:
ldapsearch -H ldaps://ldap.jumpcloud.com:636 -x -b "o=$ORG_ID,dc=jumpcloud,dc=com" -D "uid=$BINDING_USER,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

result (filtered):
dn: uid=xxx,ou=Users,o=yyyy,dc=jumpcloud,dc=com
homeDirectory: /home/xxx
cn: xxx xxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uidNumber: 5002
gidNumber: 5002
sn: xxxxxx
initials: z
displayName: xxxx xxxxxx
uid: xxxx
loginShell: /bin/bash
mail: xxxx@example.com
givenName: xxxx
memberOf: cn=vpn_users,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com
memberOf: cn=ldap_users,ou=Users,o=$ORG_ID,dc=jumpcloud,dc=com

afaik, the LDAP info is correct. when I run the opnsense Tester with the given uid, it gives me the authentication credentials error.

I don't know where the logs are for LDAP so I have not been able to check to see what the system thinks it's doing. A pointer to where the log files are would be much appreciated.

gdur · « **Reply #1 on:** December 08, 2023, 11:19:25 am »

It is unclear from where you have tested the ldapsearch but since this seems to be an external ldap server it might be caused by the firewall itself. Take a look at the firewall's Live View Logfiles and set a filter to dst_prt is 636 to see whether the request is blocked. If so define a rule to pass the ldap request and try again. Also look if value of the Port Setting under System: Access: Servers in this case is 636.

alsoeric · « **Reply #2 on:** December 08, 2023, 04:54:28 pm »

Apologies. I'll go back and fix the original post to include answers to your questions.

All actions described were on the opnsense firewall itself. I set up the LDAP connection via the web GUI in opnsense. The test interface is the one provided by opnsense. The ldap search command was run on the opnsense firewall in a shell uid root.

Fright · « **Reply #3 on:** December 08, 2023, 06:33:21 pm »

Could you please provide the exact error text (a screenshot would be better) and the access server settings (binding credentials, naming attribute, etc.)?

alsoeric · « **Reply #4 on:** December 08, 2023, 09:20:49 pm »

first image (ldap 2023...) is the configuration in the opnsense fw set up according to official opnsense documentation.
second image (ldap_test_2023...) is the test failure
third image (ldap_auth...) was a choice for "Authentication containers"

bind DN: uid=<ldap_account>,ou=Users,o=<org_id>,dc=jumpcloud,dc=com
base DN" o=<org_id>,dc=jumpcloud,dc=com

what else do you need to know?

Fright · « **Reply #5 on:** December 09, 2023, 07:23:23 am »

"Authentication failed." is a general error indicating that a user with the provided credentials will not be able to authenticate.

The second error ("error: User DN not found") is actual errors passed from the authentication provider.

This shows that the binding is successful, but the user cannot be found.

Is the authentication container selected incorrectly?

alsoeric · « **Reply #6 on:** December 10, 2023, 03:43:35 pm »

Found it.

These are the three containers presented.
ou=Users,o=xxxx,dc=jumpcloud,dc=com
cn=ldap_users,ou=Users,o=xxxx,dc=jumpcloud,dc=com
cn=vpn_users,ou=Users,o=xxxx,dc=jumpcloud,dc=com

I chose the vpn_users because that group contains the set of users I'm granting VPN access to. If I selected the first container, the authentication test works but login to the web interface does not.

Patrick M. Hausen · « **Reply #7 on:** December 10, 2023, 03:48:28 pm »

A group is not a container in an LDAP directory. You need to use the ou=Users,... container as your base DN. You can then (don't know from the top of my head if OPNsense supports this) define an additional filter, e.g. (memberOf=cn=vpn_users,...) to restrict the access by group membership.

Fright · « **Reply #8 on:** December 10, 2023, 04:10:19 pm »

Quote

don't know from the top of my head if OPNsense supports this

yes,it is ) as an 'extended query' like "&(memberOf=CN=vpn_user,CN=Users,DC=foo,DC=bar)"

Quote

login to the web interface does not

need to import user first

Author Topic: LDAP set up problems (Read 2530 times)

alsoeric

LDAP set up problems

gdur

Re: LDAP set up problems

alsoeric

Re: LDAP set up problems

Fright

Re: LDAP set up problems

alsoeric

Re: LDAP set up problems

Fright

Re: LDAP set up problems

alsoeric

Re: LDAP set up problems

Patrick M. Hausen

Re: LDAP set up problems

Fright

Re: LDAP set up problems