Rowland penny
2020-Sep-16 17:49 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:> I followed the instructions on the OpenVPN site for creating > the bind user: > > https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user >OK after reading the supplied link, I think I see where the miss-understanding is coming from. Under the heading 'Only allow users from one specific group to log on' Which is pretty clear, there is this: In fact the whole idea is that you are restricting your query to only a portion of the LDAP directory that meets your requirements, and any user that doesn?t meet that requirement, simply cannot be found in the LDAP directory. Here you could think that 'portion'? was an OU, I think it should be: In fact the whole idea is that you are restricting your query to only members of a particular AD group, and any user that isn?t in that group, simply will not be found in the LDAP directory. For example if the user 'rowland' was searched for using this LDAP filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" The user would only be found if it was a member of the required group Rowland
Marco Gaiarin
2020-Sep-17 07:50 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
Mandi! Rowland penny via samba In chel di` si favelave...> For example if the user 'rowland' was searched for using this LDAP filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" > The user would only be found if it was a member of the required groupFor a sake of completeness, you can also do: "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf:1.2.840.113556.1.4.1941:='GROUPS_DN'))" eg, use 'LDAP_MATCHING_RULE_IN_CHAIN' modifier, and query also nested groups membership. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2020-Sep-17 08:29 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 17/09/2020 08:50, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> For example if the user 'rowland' was searched for using this LDAP filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" >> The user would only be found if it was a member of the required group > For a sake of completeness, you can also do: > > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf:1.2.840.113556.1.4.1941:='GROUPS_DN'))" > > eg, use 'LDAP_MATCHING_RULE_IN_CHAIN' modifier, and query also nested > groups membership. >Well yes, you could do that, but I was just trying to point out that when the OP was using an OU in in his 'memberof' search, it wasn't likely to work :-) Rowland
Marco Shmerykowsky
2020-Sep-17 20:33 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 2020-09-16 1:49 pm, Rowland penny via samba wrote:> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote: >> I followed the instructions on the OpenVPN site for creating >> the bind user: >> >> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user > > OK after reading the supplied link, I think I see where the > miss-understanding is coming from. Under the heading 'Only allow users > from one specific group to log on' > > Which is pretty clear, there is this: > > In fact the whole idea is that you are restricting your query to only > a portion of the LDAP directory that meets your requirements, and any > user that doesn?t meet that requirement, simply cannot be found in the > LDAP directory. > > Here you could think that 'portion'? was an OU, I think it should be: > > In fact the whole idea is that you are restricting your query to only > members of a particular AD group, and any user that isn?t in that > group, simply will not be found in the LDAP directory. > > For example if the user 'rowland' was searched for using this LDAP > filter > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" > The user would only be found if it was a member of the required group > > RowlandI greatly apologize from being obtuse, but I do not see what I'm missing. From what I'm reading I should be setting the following: Base DN: DC=internal,DC=external,DC=com Auth. Container: CN=Users,DN=internal,DN=external,DN=com Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com Bind user: CN=bind_user,CN=Users,DC=internal,DC=internal,DC=com The bind_user can logon, so it is a legitimate user. The format for the bind_user matches the distinguished name format I get when I review the user's attributes. The "Active Directory Domain Services Folder" in windows list the bind_user as being a member of internal.external.com/Users All of this looks correct. I haven't even setup the OpenVPN side of things. I'm just trying to get the authentication server to respond & the bind is failing. I also tried a windows program ldp.exe to verify the bind_user and that worked. I can send the results off list if it helps, thanks again. Marco
Rowland penny
2020-Sep-17 20:55 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 17/09/2020 21:33, Marco Shmerykowsky via samba wrote:> On 2020-09-16 1:49 pm, Rowland penny via samba wrote: >> On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote: >>> I followed the instructions on the OpenVPN site for creating >>> the bind user: >>> >>> https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user >>> >> >> OK after reading the supplied link, I think I see where the >> miss-understanding is coming from. Under the heading 'Only allow users >> from one specific group to log on' >> >> Which is pretty clear, there is this: >> >> In fact the whole idea is that you are restricting your query to only >> a portion of the LDAP directory that meets your requirements, and any >> user that doesn?t meet that requirement, simply cannot be found in the >> LDAP directory. >> >> Here you could think that 'portion'? was an OU, I think it should be: >> >> In fact the whole idea is that you are restricting your query to only >> members of a particular AD group, and any user that isn?t in that >> group, simply will not be found in the LDAP directory. >> >> For example if the user 'rowland' was searched for using this LDAP >> filter >> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))" >> >> The user would only be found if it was a member of the required group >> >> Rowland > > I greatly apologize from being obtuse, but I do not see what I'm > missing.? From what I'm reading I should be setting the following: > > Base DN: DC=internal,DC=external,DC=com > Auth. Container: CN=Users,DN=internal,DN=external,DN=com > Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=comI think (and I could be talking out of my hat) that extended Query will never work.? 'Users' is a member of Domain Users and like Domain Users it has no direct users, or to put it another way, no user has a 'memberof' attribute containing the DN of 'Users' or 'Domain Users'. Have you tried creating another group, such as 'VPN Users' ?? The other question is, is that DN correct and if so how ? In my domain, 'Users' is at 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com' Rowland
L.P.H. van Belle
2020-Sep-18 07:01 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
> > > > I greatly apologize from being obtuse, but I do not see what I'm > > missing.? From what I'm reading I should be setting the following: > > > > Base DN: DC=internal,DC=external,DC=com > > Auth. Container: CN=Users,DN=internal,DN=external,DN=com > > Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com > > I think (and I could be talking out of my hat) that extended > Query will > never work.? 'Users' is a member of Domain Users and like > Domain Users > it has no direct users, or to put it another way, no user has a > 'memberof' attribute containing the DN of 'Users' or 'Domain Users'. > Have you tried creating another group, such as 'VPN Users' ?? > > The other question is, is that DN correct and if so how ? In > my domain, 'Users' is at 'CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com'CN=Users,CN=Builtin, = in windows "this computer, there Users" And in linux same as the local linux users (group)> > Base DN: DC=internal,DC=external,DC=com > > Auth. Container: CN=Users,DN=internal,DN=external,DN=com > > Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=comBase DN: DC=internal,DC=external,DC=com correct DN=Users,DN=internal,DN=external,DN=com wrong correct ^^^ CN chnaged to DN. Extended Query: memberof=CN=Users,DN=internal,DN=engineers,DN=com Wrong. Now this "might be correct, If YOU crected a Cn=Users, but i think you want "memberof=CN=Domain Users,DN=Users,DN=internal,DN=engineers,DN=com Greetz, Louis
Maybe Matching Threads
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind