[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
Rowland penny
rpenny at samba.org
Wed Sep 16 08:04:06 UTC 2020
On 15/09/2020 21:57, Marco Shmerykowsky wrote:
> On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
>> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
>>> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>>>> I've tried restarting PHP-FPM and webconfigurator,
>>>>> but that doesn't seem to solve the problem.
>>>>
>>>> This must be done each time after you edit the configuration using
>>>> the LDAP
>>>> authentication setup page. Otherwise the changes won't stick.
>>>> Before I knew
>>>> this, I did suffer a lot trying to make it work and not
>>>> understanding why it
>>>> didn't.
>>>
>>> Yea - I'm lost. I keep trying the same thing hoping for different
>>> results. I think that is the definition of insanity.
>>>
>>> I've tried:
>>>
>>> create new OU called VPNusers and a user within that call bind-user-1
>>> Also created a user under Users called bind-user-2
>>>
>>> then I set the following:
>>>
>>> extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com
>>> authentication container => OU=vpnusers,DC=internal,DC=external,DC=com
>>> bind user =>
>>> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>>>
>>> no go. Also tried:
>>>
>>> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
>>> authentication container => CN=users,DC=internal,DC=external,DC=com
>>> bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>>>
>>> After each change I run options 16 (restart php-fpm) and 11 (restart
>>> webconfigurator)
>>>
>>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>>>
>>> Tried using "Global Root CA List & No Client Cert" and "Samba CA &
>>> cert/key"
>>>
>>> Keeps failing to bind.
>>>
>>>
>> OK, AD uses what is known as back-links, that is you create something
>> and two attributes are created and they sort of point at each other,
>> for instance when you add a user to a group, the user gets a
>> 'memberOf' attribute that contains the groups DN and the group gets a
>> 'member' attribute that contains the users DN.
>>
>> I think you need to use an existing group (which isn't Domain Users)
>> or create a new one and use that groups DN in the 'extended query'
>>
>> Rowland
>
> Perhaps I'm mixing terminology in my understanding of how I'm
> setting things up. Does the user being used to create the
> bind need to be part of a "security group" or just part
> of a different organizational unit?
>
> When I use the windows admin tool for "Active Directory Users and
> Computers"
> I have a user located in "internal.external.com->users->bind-user-1".
> This is just another user like anyone else in the office.
>
> Under "internal.external.com->users" I also have a number of "Security
> *Groups*"
> defined to which I assigned my users to establish access privileges.
> so the distinguished name for a groups is something like:
> CN=Group,CN=Users,DC=internal,DC=external,DC=com
>
> I also tried creating a new organizational unit and then creating
> a user within that OU (ie internal.external.com->VPNUsers->bind-user-2)
> This user, however, was not assigned to a security group.
>
> Do either of the scenarios described make sense or does the user
> need to be part of a Windows "Security Group"?
I have no idea, I do not use VPN, but what I do know is that 'memberOf'
is only used with group membership, it has nothing to do with OU's
Rowland
More information about the samba
mailing list