LDAP Sync with TOTP after Update

Started by Pelbing, February 04, 2025, 09:32:36 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 10, 2025, 09:45:59 PM #15
Quote from: Schubert on March 10, 2025, 06:40:50 PMHi @all,

we operate a site network with about 30 opnsense devices and about 300 OpenVPN users. We regret the lack of an LDAP importer – that worked well for us (including manual addition of an OTP).

I have the following questions:

(1) with the new process, is it intended that the user account (without OTP) is synchronised from the LDAP server to the opnsense at the moment the user logs on to the manage GUI of the relevant opnsense?

If so, are there any example configurations for this? Our tests have not been successful so far - unless the user was previously created locally on the Opnsense (GUI).
But that is not practical for 300 users. If each user only had to log in to the portal once, that would not be a problem and would be a good solution.

(2) is there a way to import LDAP accounts to the opnsense outside of API scripts? Is this option planned for the future?

Well, this was a slap on my face ...
I also wish to know the solution for the above question, since I have a very large +100 AD users in sync with one of the OPNSense.

Thanks in advance.
JG
March 10, 2025, 10:13:51 PM #16 Last Edit: March 10, 2025, 10:47:11 PM by jasgg
Quote from: franco on February 06, 2025, 07:41:25 AMThe import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.


Cheers,
Franco

Trying to create the below user based on the AD info:

dn => CN=Jorge Gomes,OU=users,OU=office365,OU=Sede,DC=sample,DC=xpto

on the input field for the username, if I put 'Jorge Gomes' it says that 'must contain alphanumeric characters or a valid email', so it's not accepting the CN for the user, the samaccountname => jgomes.

You had a good solution with the import utility, but you made this more complex for most of us ...

So, how should I create a user on the OPNSense?

Thanks.
JG

-- Tested the following ---

On the GUI, I created the user with the following data:
username: jgomes
pwd: ticked the scrambled box
full name: Jorge Gomes

On the users list, clicked the 'search certificates by the username', gave me a empty result but I clicked the '+' and that opened a box to create the certificate for the user, with t common name as the user name, and then after saving it, it was then mapped to the user.

After going to VPN-Client Export and exporting the OPVPN config, I imported on my client and logged in with the username and PW from the AD user, Remember that I created the user with a 'scrambled' password, and it logged.
So I guess it's working ...

Can you validate this quick steps??
Thanks in advance.

March 11, 2025, 08:40:26 AM #17
Franco posted a github link where you can Import users from csv. I think in this ticket is also a PS command to export ad users to csv
March 11, 2025, 04:29:35 PM #18
The CSV import/export for users was released today in 25.1.3.
April 07, 2025, 10:35:11 PM #19
for whomever may be interested ... we implemented the ldap sync in our ansible role vor opnsense

https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense/wiki/ldapsync

maybe this can be of some help for someone, otherwise pls just ignore it
April 14, 2025, 09:52:24 AM #20 Last Edit: April 14, 2025, 10:13:01 AM by itngo
Mh... so how do I get my LDAP-Users now into opnsense without having the password of the users to prepare their openVPN-Access?
Look like some hazzle to me which was not expected. It is a normale case to import useres to prepare their PC for HomeOffice without having the users password. In the past this was no issue... now this is not possible anymore withoud export import something to csv? Am I right about this?
Print
Go Up Pages 1 2
User actions