New access interface and LDAP

Started by haaa, January 31, 2025, 09:50:51 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
January 31, 2025, 09:50:51 AM
Hello,

I just updated one of my firewalls to 25.1 and saw, that there have been changes in the way, users are created by LDAP. The autocreation feature together with group sync works in case, the user logs in into the firewall. But what if I don't want the user to be able to use the web interface but only OpenVPN? How do I import the user and add one OTP seed, before he is connecting to OpenVPN for the first time?

Another change: I do not see the user dn from ldap in user details. How can I check, whether the user is local or ldap account?

Regards,
Andreas
February 23, 2025, 07:23:52 PM #1
Did you solve this? We currently aim to migrate from pfSense Plus and miss this features. Show stopper.
April 14, 2025, 05:00:34 PM #2
Same here. Any solutions?
April 14, 2025, 09:08:43 PM #3
Same here.... In my opinion very bad design decision...
April 15, 2025, 08:00:02 AM #4
I see some blanket statements and support questions and (very) few details. If anyone feels the need to elaborate that would be appreciated.


Cheers,
Franco
April 15, 2025, 08:58:54 AM #5
As far as I understand with the old implementation administrators would synchronise the LDAP users, then assign certificates, then perform e.g. an OpenVPN client export - all without any action required on the part of the user, neither the admin needing to know the user password.

The users are then handed their individual configurations by the admin without ever interacting with OPNsense logging on to the portal.

I fully see that this would be the preferred workflow in most organisations. It's what we do, too, only we use the same certificate for all clients so I have a single configuration file with embedded certs for everyone.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 15, 2025, 09:43:40 AM #6
Quote from: Patrick M. Hausen on April 15, 2025, 08:58:54 AMAs far as I understand with the old implementation administrators would synchronise the LDAP users, then assign certificates, then perform e.g. an OpenVPN client export - all without any action required on the part of the user, neither the admin needing to know the user password.

The users are then handed their individual configurations by the admin without ever interacting with OPNsense logging on to the portal.

I fully see that this would be the preferred workflow in most organisations. It's what we do, too, only we use the same certificate for all clients so I have a single configuration file with embedded certs for everyone.

Exactly....
April 15, 2025, 12:07:09 PM #7
So, which part is missing, let's talk real world here.. the fancy LDAP browser?
April 15, 2025, 01:09:17 PM #8
Quote from: franco on April 15, 2025, 12:07:09 PMSo, which part is missing, let's talk real world here.. the fancy LDAP browser?

Yes, the "little" Cloud Icon to get the List of Users from LDAP where you can "select" multiple of them for import to opnsense.
April 15, 2025, 01:31:37 PM #9
Bulk import is supported via CSV now. The bigger question is why you trust the old importer, but not the system to resolve the query correctly?


Cheers,
Franco
April 15, 2025, 01:35:49 PM #10 Last Edit: April 15, 2025, 01:38:06 PM by itngo
Mh... maybe we curtenly do not really understand how the new workflow has to be done?

In the past when doing user creation for just openVPN-Usage it was as simple as add the user with the icon from the list.
Now you have to create a CSV-File first and then import that. Consider that an export from Active Directory MMC to CSV is not usable as you need to prepare that file so it gets accepted for CSV import in opnsense... the old way in my opinion was far more straight forward. You can teach that even a traini or an non full time admin....

And in old version you could add/import the user, create the cert and export the config file for openvpn... in the new way you need to create or import that user or have the user to logon to opnsense?
April 15, 2025, 01:41:17 PM #11
On an unrelated note to the issue in this thread, we have added a new user portal to the business edition.

https://docs.opnsense.org/vendor/deciso/userportal.html

When the administrator sets this portal up there are quite some benefits:

- When the user logs into the portal, it will be auto created and assigned the correct group memberships (e.g. when set up with LDAP backends instead of the local authentication backends as described in the docs)
- They can create and save their own OTP token
- They can download their OpenVPN profile which will auto create their user certificate

This means the administrator only has to set this up and write a short document for users during onboarding how they can get their openvpn profile, everything else is controlled via LDAP groups.

Though, this means the user must interact with the user portal.

But the administrator does not need to interact with the firewall anymore at all, only with the LDAP server groups when they create a new user.
Hardware:
DEC740
April 15, 2025, 01:49:48 PM #12
> Mh... maybe we curtenly do not really understand how the new workflow has to be done?

Add a new user with the username being the server's CN and that's it. The workflow remains the same.


Cheers,
Franco
April 15, 2025, 01:53:55 PM #13
Quote from: franco on April 15, 2025, 01:49:48 PM> Mh... maybe we curtenly do not really understand how the new workflow has to be done?

Add a new user with the username being the server's CN and that's it. The workflow remains the same.


Cheers,
Franco

And that is where it simply does not work in 25.4... the user gets never updated from LDAP.....
April 15, 2025, 01:57:43 PM #14
Well giving a sense of reference I can easily point you to an ongoing discussion here: https://github.com/opnsense/core/issues/8541


Cheers,
Franco
Print
Go Up Pages1 2 3
User actions