A little off topic, but this does revolve around Samaba. I'm hoping someone can help me get to a working aolution. I haven't been able to find a clear quide, but it must have been done by others. I'm trying to use setup a VPN using OpenVPN on Pfsense with authentication via my Samba AD (Version 4.9.4-Debian) I keep getting a "Could not connect to LDAP server" error when tying to configure the authentication server. When I try to test the server I get a "Attempting to fetch Organizational Units from XXXX failed" error. The "button" in the gui that allows for "selecting a container" for setting the authentication container doesn't work so I set it manually (CN=users;DC=internal,DC=company,DC=com) I've copied the ca.pem, cert.pem and key.pem files over to pfsense to create the certificates. The authentication server is set to type "LDAP" using a transport of "TCP - standard" and a port of 389. The Peer Certificate Authority uses the cert created from importing ca.pem. The client certificate uses the cert created from importing cert.pem and key.pem. The base DN is correct (DN=internal,DN=company,DN=com). The pfsense box can resolve the host name of the Samaba machine (machine.internal.company.com). I have it set to use anonymous binds. Some kind of connection issue I gather with connecting to the Samba internal LDAP server. Can anyone please point me in the correct direction? Thanks. -- Marco marco at sce-engineers.com
Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:> A little off topic, but this does revolve around > Samaba. > > I'm hoping someone can help me get to a working aolution. > I haven't been able to find a clear quide, but it must > have been done by others. > > I'm trying to use setup a VPN using OpenVPN on Pfsense > with authentication via my Samba AD (Version 4.9.4-Debian) > > I keep getting a "Could not connect to LDAP server" error > when tying to configure the authentication server. When > I try to test the server I get a "Attempting to fetch Organizational > Units from XXXX failed" error. > > The "button" in the gui that allows for "selecting a container" > for setting the authentication container doesn't work so > I set it manually (CN=users;DC=internal,DC=company,DC=com) > > I've copied the ca.pem, cert.pem and key.pem files over to > pfsense to create the certificates. > > The authentication server is set to type "LDAP" using a > transport of "TCP - standard" and a port of 389.? The > Peer Certificate Authority uses the cert created from > importing ca.pem.? The client certificate uses the cert > created from importing cert.pem and key.pem. > > The base DN is correct (DN=internal,DN=company,DN=com). > > The pfsense box can resolve the host name of the Samaba > machine? (machine.internal.company.com). > > I have it set to use anonymous binds. > > Some kind of connection issue I gather with connecting > to the Samba internal LDAP server. > > Can anyone please point me in the correct direction? Thanks.I hit that as well, you might be able to find it in the ML archive. For me it was crucial to import the CA certs of the Samba AD DCs into pfsense. Additionally it was super important to use the correct and matching FQDN of one (I didn't yet manage to set up some redundant alias yet) AD DC in the "Authentication Server" setup on pfsense. I created a separate bind-user for pfsense, not anonymous. And SSL-encrypted via Port 636 ... while using the imported CA there. This as a start, feel free to ask more, I have at least 3 such installations working.
Try DC=internal,Dc=Company,DC=com Em 01/09/20 14:07, Marco Shmerykowsky via samba escreveu:> A little off topic, but this does revolve around > Samaba. > > I'm hoping someone can help me get to a working aolution. > I haven't been able to find a clear quide, but it must > have been done by others. > > I'm trying to use setup a VPN using OpenVPN on Pfsense > with authentication via my Samba AD (Version 4.9.4-Debian) > > I keep getting a "Could not connect to LDAP server" error > when tying to configure the authentication server. When > I try to test the server I get a "Attempting to fetch Organizational > Units from XXXX failed" error. > > The "button" in the gui that allows for "selecting a container" > for setting the authentication container doesn't work so > I set it manually (CN=users;DC=internal,DC=company,DC=com) > > I've copied the ca.pem, cert.pem and key.pem files over to > pfsense to create the certificates. > > The authentication server is set to type "LDAP" using a > transport of "TCP - standard" and a port of 389.? The > Peer Certificate Authority uses the cert created from > importing ca.pem.? The client certificate uses the cert > created from importing cert.pem and key.pem. > > The base DN is correct (DN=internal,DN=company,DN=com). > > The pfsense box can resolve the host name of the Samaba > machine? (machine.internal.company.com). > > I have it set to use anonymous binds. > > Some kind of connection issue I gather with connecting > to the Samba internal LDAP server. > > Can anyone please point me in the correct direction? Thanks. >
Daniel Lopes de Carvalho
2020-Sep-01 17:36 UTC
[Samba] OpenPVN authentication via Samba AD
Hello Marco. I have a working OpenVPN pfSense authenticating via Samba AD 4.12. I'm not sure if it is possible to attach the configuration screen shots here in Samba mailing. Then, I'll send it directly to you, OK? Regards On Tue, Sep 1, 2020 at 2:27 PM Marco Shmerykowsky via samba < samba at lists.samba.org> wrote:> A little off topic, but this does revolve around > Samaba. > > I'm hoping someone can help me get to a working aolution. > I haven't been able to find a clear quide, but it must > have been done by others. > > I'm trying to use setup a VPN using OpenVPN on Pfsense > with authentication via my Samba AD (Version 4.9.4-Debian) > > I keep getting a "Could not connect to LDAP server" error > when tying to configure the authentication server. When > I try to test the server I get a "Attempting to fetch Organizational > Units from XXXX failed" error. > > The "button" in the gui that allows for "selecting a container" > for setting the authentication container doesn't work so > I set it manually (CN=users;DC=internal,DC=company,DC=com) > > I've copied the ca.pem, cert.pem and key.pem files over to > pfsense to create the certificates. > > The authentication server is set to type "LDAP" using a > transport of "TCP - standard" and a port of 389. The > Peer Certificate Authority uses the cert created from > importing ca.pem. The client certificate uses the cert > created from importing cert.pem and key.pem. > > The base DN is correct (DN=internal,DN=company,DN=com). > > The pfsense box can resolve the host name of the Samaba > machine (machine.internal.company.com). > > I have it set to use anonymous binds. > > Some kind of connection issue I gather with connecting > to the Samba internal LDAP server. > > Can anyone please point me in the correct direction? Thanks. > > -- > Marco > marco at sce-engineers.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalho http://www.unisim.cepetro.unicamp.br daniel at cepetro.unicamp.br 19 3521-1221
I have it working but I struggled for a while before getting there. Read this page: https://www.reddit.com/r/PFSENSE/comments/esxwrv/could_not_bind_to_ldap_serv er/ Due to a bug in PHP, what you set in the LDAP page doesn't stick. You have to go to the pfsense's console menu and press option 16 followed by option 11. "The way PHP requires an LDAP connection to be setup in the environment sometimes gets tripped up when you make changes. It's best to run 16/11 after making any change to LDAP settings." Once I did that, it all worked like magic. -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Marco Shmerykowsky via samba Sent: 1 de setembro de 2020 18:08 To: samba at lists.samba.org Subject: [Samba] OpenPVN authentication via Samba AD A little off topic, but this does revolve around Samaba. I'm hoping someone can help me get to a working aolution. I haven't been able to find a clear quide, but it must have been done by others. I'm trying to use setup a VPN using OpenVPN on Pfsense with authentication via my Samba AD (Version 4.9.4-Debian) I keep getting a "Could not connect to LDAP server" error when tying to configure the authentication server. When I try to test the server I get a "Attempting to fetch Organizational Units from XXXX failed" error. The "button" in the gui that allows for "selecting a container" for setting the authentication container doesn't work so I set it manually (CN=users;DC=internal,DC=company,DC=com) I've copied the ca.pem, cert.pem and key.pem files over to pfsense to create the certificates. The authentication server is set to type "LDAP" using a transport of "TCP - standard" and a port of 389. The Peer Certificate Authority uses the cert created from importing ca.pem. The client certificate uses the cert created from importing cert.pem and key.pem. The base DN is correct (DN=internal,DN=company,DN=com). The pfsense box can resolve the host name of the Samaba machine (machine.internal.company.com). I have it set to use anonymous binds. Some kind of connection issue I gather with connecting to the Samba internal LDAP server. Can anyone please point me in the correct direction? Thanks. -- Marco marco at sce-engineers.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba: >> A little off topic, but this does revolve around >> Samaba. >> >> I'm hoping someone can help me get to a working aolution. >> I haven't been able to find a clear quide, but it must >> have been done by others. >> >> I'm trying to use setup a VPN using OpenVPN on Pfsense >> with authentication via my Samba AD (Version 4.9.4-Debian) >> >> I keep getting a "Could not connect to LDAP server" error >> when tying to configure the authentication server. When >> I try to test the server I get a "Attempting to fetch Organizational >> Units from XXXX failed" error. >> >> The "button" in the gui that allows for "selecting a container" >> for setting the authentication container doesn't work so >> I set it manually (CN=users;DC=internal,DC=company,DC=com) >> >> I've copied the ca.pem, cert.pem and key.pem files over to >> pfsense to create the certificates. >> >> The authentication server is set to type "LDAP" using a >> transport of "TCP - standard" and a port of 389.? The >> Peer Certificate Authority uses the cert created from >> importing ca.pem.? The client certificate uses the cert >> created from importing cert.pem and key.pem. >> >> The base DN is correct (DN=internal,DN=company,DN=com). >> >> The pfsense box can resolve the host name of the Samaba >> machine? (machine.internal.company.com). >> >> I have it set to use anonymous binds. >> >> Some kind of connection issue I gather with connecting >> to the Samba internal LDAP server. >> >> Can anyone please point me in the correct direction? Thanks. > > I hit that as well, you might be able to find it in the ML archive. > > For me it was crucial to import the CA certs of the Samba AD DCs into > pfsense. > > Additionally it was super important to use the correct and matching > FQDN > of one (I didn't yet manage to set up some redundant alias yet) AD DC > in > the "Authentication Server" setup on pfsense. > > I created a separate bind-user for pfsense, not anonymous. > > And SSL-encrypted via Port 636 ... while using the imported CA there. > > This as a start, feel free to ask more, I have at least 3 such > installations working.Thanks. Some progress. I changed the Transport to SSL-encrypted via 636 and created a a separate bind user. The bind user is entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com. The server checks out. However, when I run Diagnostics->Authentication although the user is checks out as authenticated, the groups the user belongs to are not listed. Must be still missing something. Marco.
Am 01.09.20 um 19:49 schrieb miguel medalha via samba:> I have it working but I struggled for a while before getting there. > > Read this page: > > https://www.reddit.com/r/PFSENSE/comments/esxwrv/could_not_bind_to_ldap_serv > er/ > > Due to a bug in PHP, what you set in the LDAP page doesn't stick. You have > to go to the pfsense's console menu and press option 16 followed by option > 11. > > "The way PHP requires an LDAP connection to be setup in the environment > sometimes gets tripped up when you make changes. It's best to run 16/11 > after making any change to LDAP settings." > > Once I did that, it all worked like magic.Nice. Now that you mention it I also remember restarting PHP-FPM etc ... ;-)