Setting up OPNSense with Samba LDAP Authentication

Prepping the LDAP / AD Groups and Users

Create a group for your OPNSense to authenticate against on the LDAP server, and a user without privileges and/or interactive login for the firewall to do the ldap tree search. In this case I’ll re-use my old “pfsense-ldap” group but you should probably name it opnsense-ldap or something to your liking.

Image

Image

Setting up the LDAP / AD authentication in OPNSense

Once you’ve done that log into your OPNSense and do the following:

Head over to the OPNSense System → Access → Servers Section.

Image

Then click the + icon to add an Authentication Server.

Image

Server Settings

On the Server settings area, perform the following configuration:

  • Description name: SAMBA LDAP
  • Type: LDAP

Parameters

  • Hostname or IP address: [yourLDAPserverIPorHostname]

  • Port value: 389 (PLAIN LDAP) / 636 (LDAP over SSL/TLS)

  • Transport: TCP - Standard / SSL - Encrypted

  • Search scope:

    • Level: Entire Subtree
    • Base DN: dc=your,dc=domain,dc=com
  • Authentication Containers: OU=Administrators,DC=your,DC=domain,DC=com

  • Extended query: ENABLED

  • Query: memberOf=CN=opnsense-ldap,OU=Administrators,DC=your,DC=domain,DC=com

  • Bind anonymous: DISABLED

  • Bind credentials: CN=s-opnsenseldap,OU=Service Accounts,DC=your,DC=domain,DC=com

  • User naming attribute: samAccountName

  • Read Properties: True

  • Synchronize Groups: True

  • Constraint Groups: True

  • Limit Groups: opnsense-ldap

  • Automatic User Creation: True

  • Match Case Insensitive: True

Example:

Image

Image

Now go to System → Access → Tester

Image

Test your LDAP login with a user that’s in the OPNSense-ldap group.

Image

Giving permissions to your LDAP / AD Group

Once you’ve tested that successfully you can go to System → Access → Groups

Image

Create a group with the following settings:

  • Group name: OPNSense-ldap
  • Description: Samba LDAP Auth Group

After that change/edit the permissions of the OPNSense-ldap group and add the GUI - All Pages permission.

Image

Enable the LDAP / Active Directory Authentication

Go to the System → Settings → Administration section and select your SAMBA LDAP authentication server.

Image

Log off the admin user and log in with your own LDAP / AD User.