Synchronization with LDAP server

Started by NiCo67, October 12, 2023, 12:41:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 12, 2023, 12:41:40 PM
Good morning,

I have a problem with LDAP.

I configured an LDAP server (Microsoft AD) on OPNsense and imported the users.
The problem is that when I add a new user on the LDAP server, I don't find it in the list of users that can be imported from OPNSense. A sync is missing!!!

Is there a method or command to run to force synchronization?

Thank you all for your help.
Nicholas
December 14, 2023, 03:34:20 PM #1
me too;/ I don't have idea why.
February 22, 2024, 06:21:14 PM #2
I also need to periodically click the import button, so OpenVPN users can connect.
Would be nice be able to automatically sync users.

Any CLI command perhaps ?
The world has 6 strings, and I got a pick ;)
February 22, 2024, 06:22:18 PM #3
Wait ... LDAP authentication does not authenticate live and dynamically?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 22, 2024, 06:25:27 PM #4
AFAIK as I took my config, no.
Setup with 'Automatic user creation' and 'synchonize groups', but this seems only to work when trying to auth directly on the firewall, not when trying to connect via OpenVPN with LDAP support.

Perhaps I am wrong  (I would love to) ?
The world has 6 strings, and I got a pick ;)
February 22, 2024, 06:37:08 PM #5 Last Edit: February 22, 2024, 06:44:06 PM by deajan
Okay, I actually retried my whole config.

Automagic user creation from LDAP when connecting to OpenVPN works, unless you set "Enforce local group" in OpenVPN config like I did.

So this is basically a security issue, since if I remove a LDAP user from a let's call it "VPN GROUP" on the LDAP server, the user still can connect, since the user already exists on OPNSense.

I have setup an extended query like `&(memberOf:1.2.840.113556.1.4.1941:=CN=VPN GROUP,DC=domain,DC=local)(objectCategory=person)` but still can connect to OpenVPN once I've removed a user from the ldap "VPN GROUP".

[EDIT] After removing the recursive ldap attribute for memberOf, adding / removing users from VPN GROUP limits it's ability to VPN connect like it should. [/EDIT]
The world has 6 strings, and I got a pick ;)
March 07, 2025, 10:22:11 AM #6
Quote from: deajan on February 22, 2024, 06:37:08 PMOkay, I actually retried my whole config.

Automagic user creation from LDAP when connecting to OpenVPN works, unless you set "Enforce local group" in OpenVPN config like I did.

So this is basically a security issue, since if I remove a LDAP user from a let's call it "VPN GROUP" on the LDAP server, the user still can connect, since the user already exists on OPNSense.

I have setup an extended query like `&(memberOf:1.2.840.113556.1.4.1941:=CN=VPN GROUP,DC=domain,DC=local)(objectCategory=person)` but still can connect to OpenVPN once I've removed a user from the ldap "VPN GROUP".

[EDIT] After removing the recursive ldap attribute for memberOf, adding / removing users from VPN GROUP limits it's ability to VPN connect like it should. [/EDIT]

How do you autorize to create a user on openvpn?
Do you have a password for the account? And the .ovpn configuration itself must be from that user.
Print
Go Up Pages1
User actions