Authentication LDAP

[marceloengecom]

Hello,

Due to me not being able to integrate Squid with Secure LDAP from Google Workspace,  I'm switching from pfsense to opnSense.


I have Proxy Squid and Captive Portal integrated with Google Workspace secure LDAP, via Stunne. This work's fine.

I have users in differents subdomains of my principal domain. eg: subdomain1.domain.com, subdomain2.domain.com, subdomain3.domain.com.

I put theses subdomains in Base DN of the autentication server (System: Access: Servers), but on a few cases, I'm have the same username in differents subdomains. Are distincts persons.

So, because this , i want authenticate with username@subdomain.domain.com.

It's possible?


Regards,

[mimizone]

hello, sorry I don't have an answer for you but I am interested in how you set OPNSense up to make it talk to Secure LDAP properly?
I am having trouble so far. It seems stunnel is working fine but auth can't connect to the ldap server. I don't see documentation for that with OPNsense, just with pfsense.
Do you mind sharing your config of Google, stunnel and the OPNSense authentication server?
Sorry for high jacking your thread/question.


Solved my issue.

[bdnndb]

hello, sorry I don't have an answer for you but I am interested in how you set OPNSense up to make it talk to Secure LDAP properly?
I am having trouble so far. It seems stunnel is working fine but auth can't connect to the ldap server. I don't see documentation for that with OPNsense, just with pfsense.
Do you mind sharing your config of Google, stunnel and the OPNSense authentication server?
Sorry for high jacking your thread/question.


Solved my issue.

Hi sorry to disturb, may I know how did you setup Google LDAP on OpnSense from your end? Thanks

[mimizone]

I reply here. Hopefully it doesn't create too much noise since it's still LDAP related.

I successfully made OPNSense talk to Google Secure LDAP for authentication of OPNSense UI users via a local auth server, OpenVPN users via the same local auth server, but not for 802.1x authentication via Radius for a Unifi Wifi network.

The idea is to:
- activate LDAP App in Google Workspace. Create a certificate and credentials.
- create a stunnel between OPNSense to Google to secure the communication to their LDAP service. You have to install the optional stunnel plugin for that on OPNSense. The tunnel will port forward a local port to Google. ex: port 1636. You will need the certificate you create on Google for that. Ad this certificate in the OPNSense Trust/Certificates.
- create a LDAP auth server using that stunnel-ed port forward. so 127.0.0.1:1636. You provide all the credentials you create/get from google here. As well as all the LDAP DN etc...
- use that auth server in your VPN and User authentication setup

For Radius, it didn't work for me so far (if you know how to do it let me know...)
- set LDAP in Radius to inner-tunnel mode
- entered all the Google credentials etc... (It connects fine to Google LDAP in the logs)
- enabled LDAP in the Radius General settings
- Use Radius on our Wifi (it works fine with the local radius user on OPNSense)
- I see OPNSense getting the credentials from the wifi but rejecting them

I hope it helps.

Note that LDAP doesn't use any second factor (2FA) in that case. Only the main password was needed to be sent to Google in my tests, even when 2FA was forced on all user accounts in Google Workspace. I believe it's a known limitation of Secure LDAP on Google.