[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
Marco Shmerykowsky
marco at sce-engineers.com
Tue Sep 15 17:12:31 UTC 2020
On 2020-09-15 11:42 am, Rowland penny via samba wrote:
> On 15/09/2020 16:33, Marco Shmerykowsky via samba wrote:
>> I've been trying to setup OPENVPN on a Netgate appliance
>> running pfsense.
>>
>> Initially, the authentication server I created appears
>> to function. A connection is made, the "bind" is completed
>> and the organizational units are fetched from the server
>> and returned.
>>
>> A few minutes later - without making any changes -
>> the same test returns the following errors:
>>
>> php-fpm 67757 /system_usermanager_settings.php: ERROR!
>> ldap_get_groups() could not bind to server ADS-server.
>> php-fpm 67757 /system_usermanager.php: ERROR!
>> ldap_get_groups() could not bind to server ADS-server.
>>
>> I've tried restarting PHP-FPM and webconfigurator,
>> but that doesn't seem to solve the problem.
>>
>> I've configured an authentication server as follows:
>>
>> hostname: samba.internal.external.com
>> (This resolves to the IP with a hostname entry)
>> port: 636
>> Transport: SSL-Encrypted
>> Peer Certificate Authority: Samba-CA (imported from samba's ca.pem
>> file)
>> Client Certificate: Samaba-server-cert (imported from samba's cert.pem
>> and key.pem files)
>> Protocol: 3
>> Server Timeout: 25
>> Search Scope: Entire Subtree
>> Base DN: DC=internal,DC=external,DC=com
>> Auth. Container: CN=Users,DC-internal,DC=external,DC=com
>> Enable Extended Query:
>> Query: memberof=CN=Domain
>> Users,CN=Users,DC-internal,DC=external,DC=com
>> Bind credentials:
>> user: CN=binduser,CN=Users,DC-internal,DC=external,DC=com
>> passwd: apassword
>> User naming attribute: samAccountName
>> Group naming attribute: cn
>> Group member attribute: memberof
>>
>> This seems like it should be straight forward. What am I missing?
>>
>> Thanks
>
> Not entirely sure, but 'Query: memberof=CN=Domain
> Users,CN=Users,DC-internal,DC=external,DC=com' is unlikely to work.
> All AD users are members of Domain Users, but not one of them has the
> 'memberof' attribute and the group object doesn't show any 'member'
> attributes.
>
> So if the users are being searched for as members of the Domain Users
> group by the 'memberof' attribute, I do not think it will work, try
> another group.
>
> Rowland
I removed 'CN=Domain Users' from the query. I'm using the default tree
that was created when I setup the samba AD, so I think I'm matching
everything correctly:
Active Directory Users and Computers (samba.internal.external.com)
+ Saved queries
+ internal.external.com
+ Users
+ binduser
+ john_doe
+ Jane_doe
+ Domain Users
+ Domain Guests
+ Computers
+ System
+ Builtin
+ Domain Controllers
More information about the samba
mailing list