Setting up OPNSense with Samba LDAP Authentication
Prepping the LDAP / AD Groups and Users
Create a group for your OPNSense to authenticate against on the LDAP server, and a user without privileges and/or interactive login for the firewall to do the ldap tree search. In this case I’ll re-use my old “pfsense-ldap” group but you should probably name it opnsense-ldap or something to your liking.
Setting up the LDAP / AD authentication in OPNSense
Once you’ve done that log into your OPNSense and do the following:
Head over to the OPNSense
System → Access → Servers Section.
Then click the
+ icon to add an Authentication Server.
On the Server settings area, perform the following configuration:
- Description name: SAMBA LDAP
- Type: LDAP
Hostname or IP address: [yourLDAPserverIPorHostname]
Port value: 389 (PLAIN LDAP) / 636 (LDAP over SSL/TLS)
Transport: TCP - Standard / SSL - Encrypted
- Level: Entire Subtree
- Base DN: dc=your,dc=domain,dc=com
Authentication Containers: OU=Administrators,DC=your,DC=domain,DC=com
Extended query: ENABLED
Bind anonymous: DISABLED
Bind credentials: CN=s-opnsenseldap,OU=Service Accounts,DC=your,DC=domain,DC=com
User naming attribute: samAccountName
Read Properties: True
Synchronize Groups: True
Constraint Groups: True
Limit Groups: opnsense-ldap
Automatic User Creation: True
Match Case Insensitive: True
Now go to System → Access → Tester
Test your LDAP login with a user that’s in the OPNSense-ldap group.
Giving permissions to your LDAP / AD Group
Once you’ve tested that successfully you can go to
System → Access → Groups
Create a group with the following settings:
- Group name: OPNSense-ldap
- Description: Samba LDAP Auth Group
After that change/edit the permissions of the OPNSense-ldap group and add the
GUI - All Pages permission.
Enable the LDAP / Active Directory Authentication
Go to the
System → Settings → Administration section and select your SAMBA LDAP
Log off the admin user and log in with your own LDAP / AD User.