LDAP Sync with TOTP after Update

[Pelbing]

Hi folks,
after i updated my Opnsense and got in touch which the new LDAP method i got confused. My setup is strictly with TOTP so i have my LDAP server + TOTP setup with a Extended Query that searches all my users with the VPN group name, all right and fine with the manual import from 24.x. Now i have the issue that i have the same setup edited so  i enabled Read properties and Sync Groups but i have the same local users that aren't associated with the LDAP and a new user only pops up if i have a copy of the Auth Server settings without the TOTP. The new user also only is created if i try to log in with him over the Auth Tester. Is there something im missing? how often are the useres queryed from the LDAP? Does a user have to log in to the Firewall manualy so a account is created?

Thx

[Patrick M. Hausen]

https://forum.opnsense.org/index.php?topic=45460.0

Migration notes, known issues and limitations:

o The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.

[Pelbing]

The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option.

But how does the on demand creation work? is ist queryed? or is it event based? and is there a way do map old users or at least auto create new users.

[franco]

TOTP setup was never automatic. There is a self-service option for TOTP token generation. It requires the user to log in via LDAP authentication (no TOTP set up yet) and then they can (re)generate their token. On the first login the user account will be created of course, no admin necessary.


Cheers,
Franco

[Pelbing]

Well TOTP was never automatic but my Pain point is that a user has to actively try to log in to the OpnSense so i as a Administraitor can create the TOTP seed and generate the Certificate for them. With the old way i could do everything without the user even interact with system.

So to be clear: I need the user to log in for it to create a LDAP synced account just so i can set up the TOTP Seed and Certificate?

[Monviech (Cedrik)]

You can also create the user manually. E.g.:

dn => CN=test-user,CN=Users,DC=ad,DC=example,DC=com

Go to System: Access: Users
Press + to create a new User

Username: test-user
Scrambled Password: X

You can also create the OTP token at the same time.


Alternatively, the new user Manager is REST API enabled, you could do things like:

- Create a script on your Active Directory Domain Controller or OpenLDAP server, that creates the user, otp token, openvpn profile etc... during onboarding.

[PeterEduardNis]

Just bring back the importer or similar tool.... I just want to create the users for our openvpn. Now it is not possible.

[R1mSG]

I'm also a bit confused how this is supposed to work.

Previously, it was straightforward (in my opinion) you could simply import the user(s) and then link an OTP to each one.

Now, when I migrate, what happens?
Are the users and all associated OTPs:
    Deleted?
    Converted to "local DB"?


Additionally, how can I automatically import users?
I wasn't able to get this working using the "Automatic user creation" function.

[franco]

The import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.


Cheers,
Franco

[PeterEduardNis]

ok, but the importer saved a lot of time :-|

[Monviech (Cedrik)]

Like I wrote above, the new User Manager is API enabled.

You can write a Powershell script for example that will:

- Create the Active Directory user
- Create the same user in the OPNsense using the REST Api
- Create the OTP Token, retrieve it and serialize it in the Active Directory User Object under the comment
- Create the OpenVPN Profile, download the certificate and OpenVPN Profile

It can all be automated now, you can save loads of time.

With the current capability of AI tools that excel in scripting, writing a script like that can be done by almost anybody with a plan.

[R1mSG]

The import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.


Cheers,
Franco

Ah, the "match the CN on the LDAP" was a point that wasn't entirely clear to me.
After the update, there is no longer a visible difference between local and AD-imported users.

I was able to test it successfully now, thanks :)

[wagman77]

Hi, I tried to create a PowerShell script as Cedrik suggested, but I struggle.
As I never worked with the API commands before, I read the API documentation and did some exercises.
For testing purposes, I created a bash script with a curl command:

API_KEY="my Api key"
API_SECRET="my api secret"

# Base64 encode credentials
ENCODED_CREDENTIALS=$(echo -n "$API_KEY:$API_SECRET" | base64)

curl -k -v "https://opnsense-ip/api/auth/user/add" \
  -u "$API_KEY:$API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
        "username": "test",
        "password": "securepassword123",
        "group_memberships": ["admins"]
      }'

but this returns a "failed" message.

My intention is to enable the MS AD users for OpenVPN and of course it would be great if I delete one AD user,
the OpenVPN "dial in" for this user is deleted as well. Perhaps I am completely on the wrong track.
I am happy for any kind of hints.

[franco]

https://github.com/opnsense/core/issues/8340