[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
marco at sce-engineers.com
Tue Sep 15 20:57:05 UTC 2020
On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
>> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>>> I've tried restarting PHP-FPM and webconfigurator,
>>>> but that doesn't seem to solve the problem.
>>> This must be done each time after you edit the configuration using
>>> the LDAP
>>> authentication setup page. Otherwise the changes won't stick. Before
>>> I knew
>>> this, I did suffer a lot trying to make it work and not understanding
>>> why it
>> Yea - I'm lost. I keep trying the same thing hoping for different
>> results. I think that is the definition of insanity.
>> I've tried:
>> create new OU called VPNusers and a user within that call bind-user-1
>> Also created a user under Users called bind-user-2
>> then I set the following:
>> extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com
>> authentication container => OU=vpnusers,DC=internal,DC=external,DC=com
>> bind user =>
>> no go. Also tried:
>> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
>> authentication container => CN=users,DC=internal,DC=external,DC=com
>> bind user =>
>> After each change I run options 16 (restart php-fpm) and 11 (restart
>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>> Tried using "Global Root CA List & No Client Cert" and "Samba CA &
>> Keeps failing to bind.
> OK, AD uses what is known as back-links, that is you create something
> and two attributes are created and they sort of point at each other,
> for instance when you add a user to a group, the user gets a
> 'memberOf' attribute that contains the groups DN and the group gets a
> 'member' attribute that contains the users DN.
> I think you need to use an existing group (which isn't Domain Users)
> or create a new one and use that groups DN in the 'extended query'
Perhaps I'm mixing terminology in my understanding of how I'm
setting things up. Does the user being used to create the
bind need to be part of a "security group" or just part
of a different organizational unit?
When I use the windows admin tool for "Active Directory Users and
I have a user located in "internal.external.com->users->bind-user-1".
This is just another user like anyone else in the office.
Under "internal.external.com->users" I also have a number of "Security
defined to which I assigned my users to establish access privileges.
so the distinguished name for a groups is something like:
I also tried creating a new organizational unit and then creating
a user within that OU (ie internal.external.com->VPNUsers->bind-user-2)
This user, however, was not assigned to a security group.
Do either of the scenarios described make sense or does the user
need to be part of a Windows "Security Group"?
More information about the samba