[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
Marco Shmerykowsky
marco at sce-engineers.com
Wed Sep 23 14:57:36 UTC 2020
On 2020-09-17 4:55 pm, Rowland penny via samba wrote:
> On 17/09/2020 21:33, Marco Shmerykowsky via samba wrote:
>> On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
>>> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>>>> I followed the instructions on the OpenVPN site for creating
>>>> the bind user:
>>>>
>>>> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
>>>
>>> OK after reading the supplied link, I think I see where the
>>> miss-understanding is coming from. Under the heading 'Only allow
>>> users
>>> from one specific group to log on'
>>>
>>> Which is pretty clear, there is this:
>>>
>>> In fact the whole idea is that you are restricting your query to only
>>> a portion of the LDAP directory that meets your requirements, and any
>>> user that doesn’t meet that requirement, simply cannot be found in
>>> the
>>> LDAP directory.
>>>
>>> Here you could think that 'portion' was an OU, I think it should be:
>>>
>>> In fact the whole idea is that you are restricting your query to only
>>> members of a particular AD group, and any user that isn’t in that
>>> group, simply will not be found in the LDAP directory.
>>>
>>> For example if the user 'rowland' was searched for using this LDAP
>>> filter
>>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
>>> The user would only be found if it was a member of the required group
>>>
>>> Rowland
>>
>> I greatly apologize from being obtuse, but I do not see what I'm
>> missing. From what I'm reading I should be setting the following:
>>
>> Base DN: DC=internal,DC=external,DC=com
>> Auth. Container: CN=Users,DN=internal,DN=external,DN=com
>> Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
>
> I think (and I could be talking out of my hat) that extended Query
> will never work. 'Users' is a member of Domain Users and like Domain
> Users it has no direct users, or to put it another way, no user has a
> 'memberof' attribute containing the DN of 'Users' or 'Domain Users'.
> Have you tried creating another group, such as 'VPN Users' ??
>
> The other question is, is that DN correct and if so how ? In my
> domain, 'Users' is at
> 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'
>
> Rowland
I've had the situation where the bind has worked. I can't figure out
the difference between it working vs. not working because I think I'm
using the same settings.
When it worked, the auth server returned the following organizational
units.
OU=Domain Controlers,DC=internal,DC=external,DC=com
CN=Users,CN=Builtin,DC=internal,DC=external,DC=com
CN=Users,DC=internal,DC=external,DC=com
I've also referenced this web site
(https://techexpert.tips/pfsense/pfsense-ldap-authentication-active-directory/)
regarding basic setup. Although it doesn't list the extended query, it
does seem to indicate that the bind user doesn't have to be part of a
group.
Still missing something stupid.
More information about the samba
mailing list