[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Marco Shmerykowsky marco at sce-engineers.com
Wed Sep 23 14:57:36 UTC 2020

On 2020-09-17 4:55 pm, Rowland penny via samba wrote:
> On 17/09/2020 21:33, Marco Shmerykowsky via samba wrote:
>> On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
>>> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>>>> I followed the instructions on the OpenVPN site for creating
>>>> the bind user:
>>>> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
>>> OK after reading the supplied link, I think I see where the
>>> miss-understanding is coming from. Under the heading 'Only allow 
>>> users
>>> from one specific group to log on'
>>> Which is pretty clear, there is this:
>>> In fact the whole idea is that you are restricting your query to only
>>> a portion of the LDAP directory that meets your requirements, and any
>>> user that doesn’t meet that requirement, simply cannot be found in 
>>> the
>>> LDAP directory.
>>> Here you could think that 'portion'  was an OU, I think it should be:
>>> In fact the whole idea is that you are restricting your query to only
>>> members of a particular AD group, and any user that isn’t in that
>>> group, simply will not be found in the LDAP directory.
>>> For example if the user 'rowland' was searched for using this LDAP
>>> filter
>>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" 
>>> The user would only be found if it was a member of the required group
>>> Rowland
>> I greatly apologize from being obtuse, but I do not see what I'm
>> missing.  From what I'm reading I should be setting the following:
>> Base DN: DC=internal,DC=external,DC=com
>> Auth. Container: CN=Users,DN=internal,DN=external,DN=com
>> Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
> I think (and I could be talking out of my hat) that extended Query
> will never work.  'Users' is a member of Domain Users and like Domain
> Users it has no direct users, or to put it another way, no user has a
> 'memberof' attribute containing the DN of 'Users' or 'Domain Users'.
> Have you tried creating another group, such as 'VPN Users' ??
> The other question is, is that DN correct and if so how ? In my
> domain, 'Users' is at
> 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'
> Rowland

I've had the situation where the bind has worked.  I can't figure out
the difference between it working vs. not working because I think I'm
using the same settings.

When it worked, the auth server returned the following organizational 

OU=Domain Controlers,DC=internal,DC=external,DC=com

I've also referenced this web site 
regarding basic setup.  Although it doesn't list the extended query, it 
does seem to indicate that the bind user doesn't have to be part of a 

Still missing something stupid.

More information about the samba mailing list