[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Marco Shmerykowsky marco at sce-engineers.com
Wed Sep 23 14:57:36 UTC 2020 

On 2020-09-17 4:55 pm, Rowland penny via samba wrote:
> On 17/09/2020 21:33, Marco Shmerykowsky via samba wrote:
>> On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
>>> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>>>> I followed the instructions on the OpenVPN site for creating
>>>> the bind user:
>>>> 
>>>> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
>>> 
>>> OK after reading the supplied link, I think I see where the
>>> miss-understanding is coming from. Under the heading 'Only allow 
>>> users
>>> from one specific group to log on'
>>> 
>>> Which is pretty clear, there is this:
>>> 
>>> In fact the whole idea is that you are restricting your query to only
>>> a portion of the LDAP directory that meets your requirements, and any
>>> user that doesn’t meet that requirement, simply cannot be found in 
>>> the
>>> LDAP directory.
>>> 
>>> Here you could think that 'portion'  was an OU, I think it should be:
>>> 
>>> In fact the whole idea is that you are restricting your query to only
>>> members of a particular AD group, and any user that isn’t in that
>>> group, simply will not be found in the LDAP directory.
>>> 
>>> For example if the user 'rowland' was searched for using this LDAP
>>> filter
>>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" 
>>> The user would only be found if it was a member of the required group
>>> 
>>> Rowland
>> 
>> I greatly apologize from being obtuse, but I do not see what I'm
>> missing.  From what I'm reading I should be setting the following:
>> 
>> Base DN: DC=internal,DC=external,DC=com
>> Auth. Container: CN=Users,DN=internal,DN=external,DN=com
>> Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
> 
> I think (and I could be talking out of my hat) that extended Query
> will never work.  'Users' is a member of Domain Users and like Domain
> Users it has no direct users, or to put it another way, no user has a
> 'memberof' attribute containing the DN of 'Users' or 'Domain Users'.
> Have you tried creating another group, such as 'VPN Users' ??
> 
> The other question is, is that DN correct and if so how ? In my
> domain, 'Users' is at
> 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'
> 
> Rowland

I've had the situation where the bind has worked.  I can't figure out
the difference between it working vs. not working because I think I'm
using the same settings.

When it worked, the auth server returned the following organizational 
units.

OU=Domain Controlers,DC=internal,DC=external,DC=com
CN=Users,CN=Builtin,DC=internal,DC=external,DC=com
CN=Users,DC=internal,DC=external,DC=com

I've also referenced this web site 
(https://techexpert.tips/pfsense/pfsense-ldap-authentication-active-directory/)
regarding basic setup.  Although it doesn't list the extended query, it 
does seem to indicate that the bind user doesn't have to be part of a 
group.

Still missing something stupid.

More information about the samba mailing list