[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
Rowland penny
rpenny at samba.org
Tue Sep 15 20:19:20 UTC 2020
On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>> I've tried restarting PHP-FPM and webconfigurator,
>>> but that doesn't seem to solve the problem.
>>
>> This must be done each time after you edit the configuration using
>> the LDAP
>> authentication setup page. Otherwise the changes won't stick. Before
>> I knew
>> this, I did suffer a lot trying to make it work and not understanding
>> why it
>> didn't.
>
> Yea - I'm lost. I keep trying the same thing hoping for different
> results. I think that is the definition of insanity.
>
> I've tried:
>
> create new OU called VPNusers and a user within that call bind-user-1
> Also created a user under Users called bind-user-2
>
> then I set the following:
>
> extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com
> authentication container => OU=vpnusers,DC=internal,DC=external,DC=com
> bind user =>
> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>
> no go. Also tried:
>
> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
> authentication container => CN=users,DC=internal,DC=external,DC=com
> bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>
> After each change I run options 16 (restart php-fpm) and 11 (restart
> webconfigurator)
>
> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>
> Tried using "Global Root CA List & No Client Cert" and "Samba CA &
> cert/key"
>
> Keeps failing to bind.
>
>
OK, AD uses what is known as back-links, that is you create something
and two attributes are created and they sort of point at each other, for
instance when you add a user to a group, the user gets a 'memberOf'
attribute that contains the groups DN and the group gets a 'member'
attribute that contains the users DN.
I think you need to use an existing group (which isn't Domain Users) or
create a new one and use that groups DN in the 'extended query'
Rowland
More information about the samba
mailing list