Setting up OPNSense with Samba LDAP Authentication

Prepping the LDAP / AD Groups and Users

Create a group for your OPNSense to authenticate against on the LDAP server, and a user without privileges and/or interactive login for the firewall to do the ldap tree search. In this case I’ll re-use my old “pfsense-ldap” group but you should probably name it opnsense-ldap or something to your liking.

You might want to check out RSAT Tools, they’re useful for Remote Samba LDAP administration (It does require a Windows 10 Client)

Don’t forget to add users to the group.

Setting up the LDAP / AD authentication in OPNSense

Once you’ve done that log into your OPNSense and do the following:

Head over to the OPNSense System → Access → Servers Section.

Then click the + icon to add an Authentication Server.

Server Settings

On the Server settings area, perform the following configuration:

Description name: SAMBA LDAP
Type: LDAP

Parameters

Hostname or IP address: [yourLDAPserverIPorHostname]
Port value: 389 (PLAIN LDAP) / 636 (LDAP over SSL/TLS)
Transport: TCP - Standard / SSL - Encrypted
Search scope:
- Level: Entire Subtree
- Base DN: dc=your,dc=domain,dc=com
Authentication Containers: OU=Administrators,DC=your,DC=domain,DC=com
Extended query: ENABLED
Query: memberOf=CN=opnsense-ldap,OU=Administrators,DC=your,DC=domain,DC=com
Bind anonymous: DISABLED
Bind credentials: CN=s-opnsenseldap,OU=Service Accounts,DC=your,DC=domain,DC=com
User naming attribute: samAccountName
Read Properties: True
Synchronize Groups: True
Constraint Groups: True
Limit Groups: opnsense-ldap
Automatic User Creation: True
Match Case Insensitive: True