New access interface and LDAP

Started by haaa, January 31, 2025, 09:50:51 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
April 15, 2025, 02:03:58 PM #15
Quote from: franco on April 15, 2025, 01:31:37 PMBulk import is supported via CSV now. The bigger question is why you trust the old importer, but not the system to resolve the query correctly?

One needs to have the user available in OPNsense before one can create the OpenVPN configuration file for that particular user. In most company contexts users simply will not login to a portal or do *anything*. The laptops are set up by the administrator.

- click here for VPN
- click here for Excel
- click here for Outlook
- ...

How to completely configure OpenVPN ready to go for, say, 50 users, done by an admin without any action done by the user? They expect to double click "the VPN", enter their domain password, that's it.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 15, 2025, 02:14:50 PM #16
The fact is the importer as it was in 24.7/24.10 didn't help with setting up VPNs or OTPs or other things at all. It was just an LDAP browser with the ability to select a user without typing.
April 15, 2025, 02:35:58 PM #17
Quote from: franco on April 15, 2025, 02:14:50 PMThe fact is the importer as it was in 24.7/24.10 didn't help with setting up VPNs or OTPs or other things at all. It was just an LDAP browser with the ability to select a user without typing.

Which helped alot when your have 55k Users and you get a list with new VPN-Users to create.... ;-)
April 15, 2025, 02:46:57 PM #18
Yes, so we are going round in circles are we talking about the heisenuser which is thousands of users at the same time or not... CSV probably saves you a lot of time unless somebody printed those names on paper. You have enough room for human error in any approach to the paper list then.  ;)


Cheers,
Franco
April 15, 2025, 08:48:37 PM #19
Quote from: franco on April 15, 2025, 02:46:57 PMYes, so we are going round in circles are we talking about the heisenuser which is thousands of users at the same time or not... CSV probably saves you a lot of time unless somebody printed those names on paper. You have enough room for human error in any approach to the paper list then.  ;)


Cheers,
Franco

Maybe I am not capable to explain this in my not native language... maybe some one else want to jump in to try to explain why this little window was helping a lot and is missed now.... I am out here, cause I am unable to explain this furthermore and will accept that this is not coming back....
April 15, 2025, 09:46:29 PM #20
Yes, basically I'm trying to understand what essence of this feature was important so as to try and put something similarly helpful back in the existing structure -- just not what was there.


Cheers,
Franco
April 16, 2025, 07:05:56 AM #21
Quote from: franco on April 15, 2025, 09:46:29 PMYes, basically I'm trying to understand what essence of this feature was important so as to try and put something similarly helpful back in the existing structure -- just not what was there.


Cheers,
Franco

More or less a window in which you can select the users from the LDAP list so that you don't have to "type" them...
April 16, 2025, 07:28:01 AM #22
But do you really need the window to manually select the users?
Why do they have to be manually selected, did you do a choice here who to import and who to skip?

Would it be the same to just synchronize all users automatically that match the query of the configured LDAP server(s) without an additional window opening up?
Hardware:
DEC740
April 16, 2025, 08:29:22 AM #23
Quote from: Monviech (Cedrik) on April 16, 2025, 07:28:01 AMBut do you really need the window to manually select the users?
Why do they have to be manually selected, did you do a choice here who to import and who to skip?

Would it be the same to just synchronize all users automatically that match the query of the configured LDAP server(s) without an additional window opening up?

Sure, but there is no such sync, is it?
April 16, 2025, 08:38:11 AM #24
No there is not, but from our conversation we want to try to get to know the scope of what is truly needed there.

So it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?
Hardware:
DEC740
April 16, 2025, 09:03:29 AM #25
Quote from: Monviech (Cedrik) on April 16, 2025, 08:38:11 AMthe true requirement is an automatic user sync based on the search query of the ldap servers?

Yes, as far as I understand most admins need to create and manage the users (and their VPN settings) on the OPNsense side without any required action on the user's behalf.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 16, 2025, 10:48:09 AM #26
Quote from: Monviech (Cedrik) on April 16, 2025, 08:38:11 AMNo there is not, but from our conversation we want to try to get to know the scope of what is truly needed there.

So it seems like the ldap browser was not really necessary then, the true requirement is an automatic user sync based on the search query of the ldap servers?

Yes, I believe that is the point what is currently missing here....
April 17, 2025, 11:02:02 AM #27
Yesterday I got a request from one customer where we manage the opnsense for. We don't have any access to their LDAP(Active Directory) beside what is in the opnsense configured to authenticate LDAP for openVPN. Now they have 3 new accounts which they want me to create openVPN-Profiles for.

So how does this work now? I am only the opnsense admin and have no credentials besides what the customer sends me for "Account-Names". This can be the same as SAMAccountName or not. So normally I would now use the import button to get an idea. How does this work today, after the uprade?
April 17, 2025, 11:44:59 AM #28
Right now you manually create 3 new users where the username matches with the name the users use as their login name in the windows domain, and select the scrambled password checkbox.
Hardware:
DEC740
April 23, 2025, 08:49:41 AM #29
Quote from: Monviech (Cedrik) on April 17, 2025, 11:44:59 AMRight now you manually create 3 new users where the username matches with the name the users use as their login name in the windows domain, and select the scrambled password checkbox.

I am sorry, but this does not work as expected. Created the users in opnsense with their "sAMAccountName", created Cert and made openVPN-Profile-Export. Then we import at client and try to connect which just gives "2025-04-23T08:47:39   Warning   openvpn   user 'user' could not authenticate."

For me it looks like the "link" between the LDAP-User and the local created User never gets updated.
Print
Go Up Pages 1 2 3
User actions