samba - Sep 2020 - PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
> I followed the instructions on the OpenVPN site for creating
> the bind user:
>
>
https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
>
OK after reading the supplied link, I think I see where the 
miss-understanding is coming from. Under the heading 'Only allow users 
from one specific group to log on'

Which is pretty clear, there is this:

In fact the whole idea is that you are restricting your query to only a 
portion of the LDAP directory that meets your requirements, and any user 
that doesn?t meet that requirement, simply cannot be found in the LDAP 
directory.

Here you could think that 'portion'? was an OU, I think it should be:

In fact the whole idea is that you are restricting your query to only 
members of a particular AD group, and any user that isn?t in that group, 
simply will not be found in the LDAP directory.

For example if the user 'rowland' was searched for using this LDAP 
filter 
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
The user would only be found if it was a member of the required group

Rowland

Mandi! Rowland penny via samba
  In chel di` si favelave...
> For example if the user 'rowland' was searched for using this LDAP
filter
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
> The user would only be found if it was a member of the required group
For a sake of completeness, you can also do:

	"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf:1.2.840.113556.1.4.1941:='GROUPS_DN'))"

eg, use 'LDAP_MATCHING_RULE_IN_CHAIN' modifier, and query also nested
groups membership.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 17/09/2020 08:50, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
>> For example if the user 'rowland' was searched for using this
LDAP filter
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
>> The user would only be found if it was a member of the required group
> For a sake of completeness, you can also do:
>
> 
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf:1.2.840.113556.1.4.1941:='GROUPS_DN'))"
>
> eg, use 'LDAP_MATCHING_RULE_IN_CHAIN' modifier, and query also
nested
> groups membership.
>
Well yes, you could do that, but I was just trying to point out that 
when the OP was using an OU in in his 'memberof' search, it wasn't 
likely to work :-)

Rowland

On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>> I followed the instructions on the OpenVPN site for creating
>> the bind user:
>> 
>>
https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
> 
> OK after reading the supplied link, I think I see where the
> miss-understanding is coming from. Under the heading 'Only allow users
> from one specific group to log on'
> 
> Which is pretty clear, there is this:
> 
> In fact the whole idea is that you are restricting your query to only
> a portion of the LDAP directory that meets your requirements, and any
> user that doesn?t meet that requirement, simply cannot be found in the
> LDAP directory.
> 
> Here you could think that 'portion'? was an OU, I think it should
be:
> 
> In fact the whole idea is that you are restricting your query to only
> members of a particular AD group, and any user that isn?t in that
> group, simply will not be found in the LDAP directory.
> 
> For example if the user 'rowland' was searched for using this LDAP
> filter
>
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
> The user would only be found if it was a member of the required group
> 
> Rowland
I greatly apologize from being obtuse, but I do not see what I'm
missing.  From what I'm reading I should be setting the following:

Base DN: DC=internal,DC=external,DC=com
Auth. Container: CN=Users,DN=internal,DN=external,DN=com
Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
Bind user: CN=bind_user,CN=Users,DC=internal,DC=internal,DC=com

The bind_user can logon, so it is a legitimate user.
The format for the bind_user matches the distinguished name
format I get when I review the user's attributes.

The "Active Directory Domain Services Folder" in windows list
the bind_user as being a member of internal.external.com/Users

All of this looks correct.

I haven't even setup the OpenVPN side of things.  I'm just
trying to get the authentication server to respond & the bind
is failing.

I also tried a windows program ldp.exe to verify the bind_user
and that worked.  I can send the results off list if it helps,

thanks again.

Marco

On 17/09/2020 21:33, Marco Shmerykowsky via samba wrote:
> On 2020-09-16 1:49 pm, Rowland penny via samba wrote:
>> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
>>> I followed the instructions on the OpenVPN site for creating
>>> the bind user:
>>>
>>>
https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
>>>
>>
>> OK after reading the supplied link, I think I see where the
>> miss-understanding is coming from. Under the heading 'Only allow
users
>> from one specific group to log on'
>>
>> Which is pretty clear, there is this:
>>
>> In fact the whole idea is that you are restricting your query to only
>> a portion of the LDAP directory that meets your requirements, and any
>> user that doesn?t meet that requirement, simply cannot be found in the
>> LDAP directory.
>>
>> Here you could think that 'portion'? was an OU, I think it
should be:
>>
>> In fact the whole idea is that you are restricting your query to only
>> members of a particular AD group, and any user that isn?t in that
>> group, simply will not be found in the LDAP directory.
>>
>> For example if the user 'rowland' was searched for using this
LDAP
>> filter
>>
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
>>
>> The user would only be found if it was a member of the required group
>>
>> Rowland
>
> I greatly apologize from being obtuse, but I do not see what I'm
> missing.? From what I'm reading I should be setting the following:
>
> Base DN: DC=internal,DC=external,DC=com
> Auth. Container: CN=Users,DN=internal,DN=external,DN=com
> Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
I think (and I could be talking out of my hat) that extended Query will 
never work.? 'Users' is a member of Domain Users and like Domain Users 
it has no direct users, or to put it another way, no user has a 
'memberof' attribute containing the DN of 'Users' or 'Domain
Users'.
Have you tried creating another group, such as 'VPN Users' ??

The other question is, is that DN correct and if so how ? In my domain, 
'Users' is at 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'

Rowland

> >
> > I greatly apologize from being obtuse, but I do not see what I'm
> > missing.? From what I'm reading I should be setting the following:
> >
> > Base DN: DC=internal,DC=external,DC=com
> > Auth. Container: CN=Users,DN=internal,DN=external,DN=com
> > Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
> 
> I think (and I could be talking out of my hat) that extended 
> Query will 
> never work.? 'Users' is a member of Domain Users and like 
> Domain Users 
> it has no direct users, or to put it another way, no user has a 
> 'memberof' attribute containing the DN of 'Users' or
'Domain Users'.
> Have you tried creating another group, such as 'VPN Users' ??
> 
> The other question is, is that DN correct and if so how ? In 
> my domain, 'Users' is at
'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'
CN=Users,CN=Builtin,  = in windows "this computer, there Users" 
And in linux same as the local linux users (group) 
> > Base DN: DC=internal,DC=external,DC=com
> > Auth. Container: CN=Users,DN=internal,DN=external,DN=com
> > Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com
Base DN: DC=internal,DC=external,DC=com     correct 
DN=Users,DN=internal,DN=external,DN=com     wrong correct
^^^
CN chnaged to DN. 

Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com  Wrong. 

Now this "might be correct, If YOU crected a Cn=Users, 
 but i think you want "memberof=CN=Domain
Users,DN=Users,DN=internal,DN=engineers,DN=com



Greetz, 

Louis