[Samba] OpenPVN authentication via Samba AD

Tue Sep 1 20:04:07 UTC 2020

On 2020-09-01 1:57 pm, Marco Shmerykowsky via samba wrote:
> On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:
>> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:
>>> A little off topic, but this does revolve around
>>> Samaba.
>>> 
>>> I'm hoping someone can help me get to a working aolution.
>>> I haven't been able to find a clear quide, but it must
>>> have been done by others.
>>> 
>>> I'm trying to use setup a VPN using OpenVPN on Pfsense
>>> with authentication via my Samba AD (Version 4.9.4-Debian)
>>> 
>>> I keep getting a "Could not connect to LDAP server" error
>>> when tying to configure the authentication server. When
>>> I try to test the server I get a "Attempting to fetch Organizational
>>> Units from XXXX failed" error.
>>> 
>>> The "button" in the gui that allows for "selecting a container"
>>> for setting the authentication container doesn't work so
>>> I set it manually (CN=users;DC=internal,DC=company,DC=com)
>>> 
>>> I've copied the ca.pem, cert.pem and key.pem files over to
>>> pfsense to create the certificates.
>>> 
>>> The authentication server is set to type "LDAP" using a
>>> transport of "TCP - standard" and a port of 389.  The
>>> Peer Certificate Authority uses the cert created from
>>> importing ca.pem.  The client certificate uses the cert
>>> created from importing cert.pem and key.pem.
>>> 
>>> The base DN is correct (DN=internal,DN=company,DN=com).
>>> 
>>> The pfsense box can resolve the host name of the Samaba
>>> machine  (machine.internal.company.com).
>>> 
>>> I have it set to use anonymous binds.
>>> 
>>> Some kind of connection issue I gather with connecting
>>> to the Samba internal LDAP server.
>>> 
>>> Can anyone please point me in the correct direction? Thanks.
>> 
>> I hit that as well, you might be able to find it in the ML archive.
>> 
>> For me it was crucial to import the CA certs of the Samba AD DCs into
>> pfsense.
>> 
>> Additionally it was super important to use the correct and matching 
>> FQDN
>> of one (I didn't yet manage to set up some redundant alias yet) AD DC 
>> in
>> the "Authentication Server" setup on pfsense.
>> 
>> I created a separate bind-user for pfsense, not anonymous.
>> 
>> And SSL-encrypted via Port 636 ... while using the imported CA there.
>> 
>> This as a start, feel free to ask more, I have at least 3 such
>> installations working.
> 
> Thanks.  Some progress.  I changed the Transport to SSL-encrypted
> via 636 and created a a separate bind user.  The bind user is
> entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com.
> 
> The server checks out.  However, when I run Diagnostics->Authentication
> although the user is checks out as authenticated, the groups the
> user belongs to are not listed.
> 
> Must be still missing something.

UGH. It was working & then it stopped working.
No clue what I could have changed.

Does "ldap server require strong auth" need to be set to 'no'
or is that currently required?