[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Marco Shmerykowsky marco at sce-engineers.com
Thu Sep 17 20:33:43 UTC 2020 

On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>> I followed the instructions on the OpenVPN site for creating
>> the bind user:
>> 
>> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
> 
> OK after reading the supplied link, I think I see where the
> miss-understanding is coming from. Under the heading 'Only allow users
> from one specific group to log on'
> 
> Which is pretty clear, there is this:
> 
> In fact the whole idea is that you are restricting your query to only
> a portion of the LDAP directory that meets your requirements, and any
> user that doesn’t meet that requirement, simply cannot be found in the
> LDAP directory.
> 
> Here you could think that 'portion'  was an OU, I think it should be:
> 
> In fact the whole idea is that you are restricting your query to only
> members of a particular AD group, and any user that isn’t in that
> group, simply will not be found in the LDAP directory.
> 
> For example if the user 'rowland' was searched for using this LDAP
> filter
> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
> The user would only be found if it was a member of the required group
> 
> Rowland

I greatly apologize from being obtuse, but I do not see what I'm
missing.  From what I'm reading I should be setting the following:

Base DN: DC=internal,DC=external,DC=com
Auth. Container: CN=Users,DN=internal,DN=external,DN=com
Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
Bind user: CN=bind_user,CN=Users,DC=internal,DC=internal,DC=com

The bind_user can logon, so it is a legitimate user.
The format for the bind_user matches the distinguished name
format I get when I review the user's attributes.

The "Active Directory Domain Services Folder" in windows list
the bind_user as being a member of internal.external.com/Users

All of this looks correct.

I haven't even setup the OpenVPN side of things.  I'm just
trying to get the authentication server to respond & the bind
is failing.

I also tried a windows program ldp.exe to verify the bind_user
and that worked.  I can send the results off list if it helps,

thanks again.

Marco

More information about the samba mailing list