[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Rowland penny rpenny at samba.org
Thu Sep 17 20:55:40 UTC 2020

On 17/09/2020 21:33, Marco Shmerykowsky via samba wrote:
> On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
>> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>>> I followed the instructions on the OpenVPN site for creating
>>> the bind user:
>>> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user 
>> OK after reading the supplied link, I think I see where the
>> miss-understanding is coming from. Under the heading 'Only allow users
>> from one specific group to log on'
>> Which is pretty clear, there is this:
>> In fact the whole idea is that you are restricting your query to only
>> a portion of the LDAP directory that meets your requirements, and any
>> user that doesn’t meet that requirement, simply cannot be found in the
>> LDAP directory.
>> Here you could think that 'portion'  was an OU, I think it should be:
>> In fact the whole idea is that you are restricting your query to only
>> members of a particular AD group, and any user that isn’t in that
>> group, simply will not be found in the LDAP directory.
>> For example if the user 'rowland' was searched for using this LDAP
>> filter
>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" 
>> The user would only be found if it was a member of the required group
>> Rowland
> I greatly apologize from being obtuse, but I do not see what I'm
> missing.  From what I'm reading I should be setting the following:
> Base DN: DC=internal,DC=external,DC=com
> Auth. Container: CN=Users,DN=internal,DN=external,DN=com
> Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com

I think (and I could be talking out of my hat) that extended Query will 
never work.  'Users' is a member of Domain Users and like Domain Users 
it has no direct users, or to put it another way, no user has a 
'memberof' attribute containing the DN of 'Users' or 'Domain Users'. 
Have you tried creating another group, such as 'VPN Users' ??

The other question is, is that DN correct and if so how ? In my domain, 
'Users' is at 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'


More information about the samba mailing list