Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Synchronization with LDAP server
« previous
next »
Print
Pages: [
1
]
Author
Topic: Synchronization with LDAP server (Read 1635 times)
NiCo67
Newbie
Posts: 2
Karma: 0
Synchronization with LDAP server
«
on:
October 12, 2023, 12:41:40 pm »
Good morning,
I have a problem with LDAP.
I configured an LDAP server (Microsoft AD) on OPNsense and imported the users.
The problem is that when I add a new user on the LDAP server, I don't find it in the list of users that can be imported from OPNSense. A sync is missing!!!
Is there a method or command to run to force synchronization?
Thank you all for your help.
Nicholas
Logged
peteeerthefox
Newbie
Posts: 2
Karma: 0
Re: Synchronization with LDAP server
«
Reply #1 on:
December 14, 2023, 03:34:20 pm »
me too;/ I don't have idea why.
Logged
deajan
Newbie
Posts: 36
Karma: 1
Re: Synchronization with LDAP server
«
Reply #2 on:
February 22, 2024, 06:21:14 pm »
I also need to periodically click the import button, so OpenVPN users can connect.
Would be nice be able to automatically sync users.
Any CLI command perhaps ?
Logged
The world has 6 strings, and I got a pick
Patrick M. Hausen
Hero Member
Posts: 6700
Karma: 564
Re: Synchronization with LDAP server
«
Reply #3 on:
February 22, 2024, 06:22:18 pm »
Wait ... LDAP authentication does not authenticate
live and dynamically
?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
deajan
Newbie
Posts: 36
Karma: 1
Re: Synchronization with LDAP server
«
Reply #4 on:
February 22, 2024, 06:25:27 pm »
AFAIK as I took my config, no.
Setup with 'Automatic user creation' and 'synchonize groups', but this seems only to work when trying to auth directly on the firewall, not when trying to connect via OpenVPN with LDAP support.
Perhaps I am wrong (I would love to) ?
Logged
The world has 6 strings, and I got a pick
deajan
Newbie
Posts: 36
Karma: 1
Re: Synchronization with LDAP server
«
Reply #5 on:
February 22, 2024, 06:37:08 pm »
Okay, I actually retried my whole config.
Automagic user creation from LDAP when connecting to OpenVPN works, unless you set "Enforce local group" in OpenVPN config like I did.
So this is basically a security issue, since if I remove a LDAP user from a let's call it "VPN GROUP" on the LDAP server, the user still can connect, since the user already exists on OPNSense.
I have setup an extended query like `&(memberOf:1.2.840.113556.1.4.1941:=CN=VPN GROUP,DC=domain,DC=local)(objectCategory=person)` but still can connect to OpenVPN once I've removed a user from the ldap "VPN GROUP".
[EDIT] After removing the recursive ldap attribute for memberOf, adding / removing users from VPN GROUP limits it's ability to VPN connect like it should. [/EDIT]
«
Last Edit: February 22, 2024, 06:44:06 pm by deajan
»
Logged
The world has 6 strings, and I got a pick
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Synchronization with LDAP server