Freeipa LDAP authentication HOWTO.

[hboetes]

We have a FreeIPA server for authentication and to allow group members of sysadmins and firewallobservers to access via LDAP I proceeded like this:

• Import the FreeIPA CA if you didn't already, it's probaby on your worstation over here:/etc/ipa/ca.crt
• Create a user in Freeipa: opnsense, with a strong password
• Create a group firewallobservers and add the right users to this group, I already had a sysadmin group.
• In opensense: System → Access → Add a server like in the screenshot, always use the full LDAP account names, with the FQDN.
• In the extended query you can decide which groups have access to the firewall: Since it's hard to read:
  

  |(memberof=cn=systemadministration,cn=groups,cn=accounts,dc=example,dc=com)(memberof=cn=firewallobservers,cn=groups,cn=accounts,dc=example,dc=com)

  
  

After that you can go to testers and check if everything works. If that works you can go to users and press the cloud button at the right to import the FreeIPA users. Add them to the right groups and Bob's your uncle.  8)

If there is anything unclear, please let me know and I'll improve this How-to.

[franco]

Cool, thanks for this! <3

[TaceN]

thanks!

[gilvanio]

As a suggestion, to increase security, create a system user in freeipa that has read-only permission and the password does not expire in 90 days

1 - Create a file

]# vim opnsense-binddn.update

add content :

dn: uid=opnsense_bind,cn=sysaccounts,cn=etc,dc=example,dc=local
default:objectclass:account
default:objectclass:simplesecurityobject
default:uid:opnsense_bind
only:userPassword:o9gkUeQNnRexPJrbFNZGC3szN
only:passwordExpirationTime:20380119031407Z
only:nsIdleTimeout:0

2 - run the command to create the user
]# ipa-ldap-updater opnsense-binddn.update
update complete
The ipa-ldap-updater command was successful

[hboetes]

Thanks for the excellent addition, gilvanio!