L.P.H. van Belle
2020-Sep-16 07:14 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
> This is just another user like anyone else in the office.No, its offcourse not .. Why do you think you binding user is failing ;-) So, on the bind fail. Did you set on the "binding" user, : account is trusted and cant not be delegated? Password can be changed and never expire need to be ticked also. Whats set on the Pfsence server in ldap.conf ? Is BASE and URI defined? As far i can tell, you certificate setup of fine. If your not sure, goto : testssl.sh (yes that is a website ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Shmerykowsky via samba > Verzonden: dinsdag 15 september 2020 22:57 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] PFsense via Samba Authentication > Server -> ERROR! ldap_get_groups() could not bind > > On 2020-09-15 4:19 pm, Rowland penny via samba wrote: > > On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote: > >> On 2020-09-15 1:13 pm, miguel medalha wrote: > >>>> I've tried restarting PHP-FPM and webconfigurator, > >>>> but that doesn't seem to solve the problem. > >>> > >>> This must be done each time after you edit the > configuration using > >>> the LDAP > >>> authentication setup page. Otherwise the changes won't > stick. Before > >>> I knew > >>> this, I did suffer a lot trying to make it work and not > understanding > >>> why it > >>> didn't. > >> > >> Yea - I'm lost.? I keep trying the same thing hoping for different > >> results.? I think that is the definition of insanity. > >> > >> I've tried: > >> > >> create new OU called VPNusers and a user within that call > bind-user-1 > >> Also created a user under Users called bind-user-2 > >> > >> then I set the following: > >> > >> extended query => > memberof=OU=vpnusers,DC=internal,DC=external,DC=com > >> authentication container => > OU=vpnusers,DC=internal,DC=external,DC=com > >> bind user => > >> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com > >> > >> no go.? Also tried: > >> > >> extended query => memberof=CN=users,DC=internal,DC=external,DC=com > >> authentication container => CN=users,DC=internal,DC=external,DC=com > >> bind user => > >> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com > >> > >> After each change I run options 16 (restart php-fpm) and > 11 (restart > >> webconfigurator) > >> > >> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted > >> > >> Tried using "Global Root CA List & No Client Cert" and "Samba CA & > >> cert/key" > >> > >> Keeps failing to bind. > >> > >> > > OK, AD uses what is known as back-links, that is you create > something > > and two attributes are created and they sort of point at each other, > > for instance when you add a user to a group, the user gets a > > 'memberOf' attribute that contains the groups DN and the > group gets a > > 'member' attribute that contains the users DN. > > > > I think you need to use an existing group (which isn't Domain Users) > > or create a new one and use that groups DN in the 'extended query' > > > > Rowland > > Perhaps I'm mixing terminology in my understanding of how I'm > setting things up. Does the user being used to create the > bind need to be part of a "security group" or just part > of a different organizational unit? > > When I use the windows admin tool for "Active Directory Users and > Computers" > I have a user located in "internal.external.com->users->bind-user-1". > This is just another user like anyone else in the office. > > Under "internal.external.com->users" I also have a number of > "Security > *Groups*" > defined to which I assigned my users to establish access privileges. > so the distinguished name for a groups is something like: > CN=Group,CN=Users,DC=internal,DC=external,DC=com > > I also tried creating a new organizational unit and then creating > a user within that OU (ie > internal.external.com->VPNUsers->bind-user-2) > This user, however, was not assigned to a security group. > > Do either of the scenarios described make sense or does the user > need to be part of a Windows "Security Group"? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marco Shmerykowsky
2020-Sep-16 16:34 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
I followed the instructions on the OpenVPN site for creating the bind user: https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user Following this procedure creates a user, but does not assign it to any security group other than "Domain Users" as described on the site. The bind works sometimes. I can not track down what the difference between what causes apparent success vs failure for the bind. On 9/16/2020 3:14 AM, L.P.H. van Belle via samba wrote:>> This is just another user like anyone else in the office. > No, its offcourse not .. Why do you think you binding user is failing ;-) > > So, on the bind fail. > Did you set on the "binding" user, : account is trusted and cant not be delegated? > Password can be changed and never expire need to be ticked also. > > Whats set on the Pfsence server in ldap.conf ? > Is BASE and URI defined? > > > As far i can tell, you certificate setup of fine. > If your not sure, goto : testssl.sh (yes that is a website ) > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Marco Shmerykowsky via samba >> Verzonden: dinsdag 15 september 2020 22:57 >> Aan: Rowland penny >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] PFsense via Samba Authentication >> Server -> ERROR! ldap_get_groups() could not bind >> >> On 2020-09-15 4:19 pm, Rowland penny via samba wrote: >>> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote: >>>> On 2020-09-15 1:13 pm, miguel medalha wrote: >>>>>> I've tried restarting PHP-FPM and webconfigurator, >>>>>> but that doesn't seem to solve the problem. >>>>> >>>>> This must be done each time after you edit the >> configuration using >>>>> the LDAP >>>>> authentication setup page. Otherwise the changes won't >> stick. Before >>>>> I knew >>>>> this, I did suffer a lot trying to make it work and not >> understanding >>>>> why it >>>>> didn't. >>>> >>>> Yea - I'm lost.? I keep trying the same thing hoping for different >>>> results.? I think that is the definition of insanity. >>>> >>>> I've tried: >>>> >>>> create new OU called VPNusers and a user within that call >> bind-user-1 >>>> Also created a user under Users called bind-user-2 >>>> >>>> then I set the following: >>>> >>>> extended query => >> memberof=OU=vpnusers,DC=internal,DC=external,DC=com >>>> authentication container => >> OU=vpnusers,DC=internal,DC=external,DC=com >>>> bind user => >>>> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com >>>> >>>> no go.? Also tried: >>>> >>>> extended query => memberof=CN=users,DC=internal,DC=external,DC=com >>>> authentication container => CN=users,DC=internal,DC=external,DC=com >>>> bind user => >>>> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com >>>> >>>> After each change I run options 16 (restart php-fpm) and >> 11 (restart >>>> webconfigurator) >>>> >>>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted >>>> >>>> Tried using "Global Root CA List & No Client Cert" and "Samba CA & >>>> cert/key" >>>> >>>> Keeps failing to bind. >>>> >>>> >>> OK, AD uses what is known as back-links, that is you create >> something >>> and two attributes are created and they sort of point at each other, >>> for instance when you add a user to a group, the user gets a >>> 'memberOf' attribute that contains the groups DN and the >> group gets a >>> 'member' attribute that contains the users DN. >>> >>> I think you need to use an existing group (which isn't Domain Users) >>> or create a new one and use that groups DN in the 'extended query' >>> >>> Rowland >> >> Perhaps I'm mixing terminology in my understanding of how I'm >> setting things up. Does the user being used to create the >> bind need to be part of a "security group" or just part >> of a different organizational unit? >> >> When I use the windows admin tool for "Active Directory Users and >> Computers" >> I have a user located in "internal.external.com->users->bind-user-1". >> This is just another user like anyone else in the office. >> >> Under "internal.external.com->users" I also have a number of >> "Security >> *Groups*" >> defined to which I assigned my users to establish access privileges. >> so the distinguished name for a groups is something like: >> CN=Group,CN=Users,DC=internal,DC=external,DC=com >> >> I also tried creating a new organizational unit and then creating >> a user within that OU (ie >> internal.external.com->VPNUsers->bind-user-2) >> This user, however, was not assigned to a security group. >> >> Do either of the scenarios described make sense or does the user >> need to be part of a Windows "Security Group"? >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
Rowland penny
2020-Sep-16 17:49 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:> I followed the instructions on the OpenVPN site for creating > the bind user: > > https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user >OK after reading the supplied link, I think I see where the miss-understanding is coming from. Under the heading 'Only allow users from one specific group to log on' Which is pretty clear, there is this: In fact the whole idea is that you are restricting your query to only a portion of the LDAP directory that meets your requirements, and any user that doesn?t meet that requirement, simply cannot be found in the LDAP directory. Here you could think that 'portion'? was an OU, I think it should be: In fact the whole idea is that you are restricting your query to only members of a particular AD group, and any user that isn?t in that group, simply will not be found in the LDAP directory. For example if the user 'rowland' was searched for using this LDAP filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" The user would only be found if it was a member of the required group Rowland
Possibly Parallel Threads
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind