PfSense LDAP Authentication
I’m ashamed to admit, it took me quite a while to get LDAP authentication up and running. I’m looking to ensure that I can authenticate using LDAP for all my services, it’ll save me from having to either remember a million different passwords or have to go through a mad hassle if I need to change my password across a million services.
Useful Online Resources
I found this PfSense documentation article to be of great use, though wasn’t able to find much in terms of YouTube tutorials. All tutorials online were for Active Directory (thus continues Microsoft Server market dominance).
- Jump into System > User Manager, and go to the Authentication Servers tab.
- You’ll see the Local Database authentication method already configured there. Click the “Add” button.
- Once in Edit mode, specify the following settings;
- Descriptive Name:
Whatever you want really, I’ve set mine to the hostname group naming standard of my LDAP infrastructure servers.
LDAP, of course
- Hostname or IP Address:
Comma seperated list in order of query priority. I’d argue use both an IP Address and hostname, in case either your DNS server is down or the IP address of the LDAP server has changed and that correct record is stored within DNS.
- Port Value:
389 for most OpenLDAP servers, unless you are using LDAPS in which case it would be 636.
I’m using LDAP at the moment so I’ve specified Standard TCP, but if you’re using LDAPS you may need to go with STARTTLS or SSL/TLS.
- Protocol Version:
Pretty much usually v3, it’s 2021.
- Server Timeout:
Up to you really. How long do you want to wait per server before PfSense gives up attempting to contact the LDAP server.
- Search Scope:
I’ve gone with Entire Subtree for reliabilities sake, though if you want some speedy authentication you might want to refine it to One Level within the search space.
- Base DN:
The root level of the LDAP tree. In my case this is dc=rajchert,dc=net
- Authentication Containers:
Now, you can use the cool “select a container” option, but you need to have specified everything else before you can use this feature. I recommend just putting in wherever your users are located and then coming back later to fiddle. In my case I’ve specified ou=Users,dc=rajchert,dc=net.
- Extended Query:
I’ve set this to False.
- Bind Anonymous:
If you don’t require authentication to verify distinguished names, you can enable this. Otherwise, enable it and specify the credentials of your admin account.
- User naming attribute:
For OpenLDAP, this is generally uid. This is the username that PfSense will authenticate against.
- Group naming attribute:
For OpenLDAP, this is generally cn.
- Group member attribute:
For OpenLDAP, memberUid.
- RFC 2307 Groups:
For OpenLDAP, enable this option.
- RFC 2307 User DN:
I’ve left this disabled.
- Group Object Class:
I’ve specified posixGroup.
- Shell Authentication Group DN:
I’ve left this blank.
- UTF8 Encode:
- Username Alterations:
If you use @example.com in usernames, enable this to make sure PfSense does not strip this from the username.
- Allow unauthenticated bind:
I’ve enabled this.
- Descriptive Name:
Save the config, let’s test it. Go to Diagnostics > Authentication. Specify the LDAP server, and enter your credentials. If all is good you should hopefully see a green success message saying “User authenticated successfully. This user is a member of groups:”. If you were in any groups, PfSense will list them out here too.
If all is well. You should be ready to enable LDAP as your preferred method of authentication. Navigate to System > User Manager > Settings. Under Authentication Server, set it to the descriptive name of your LDAP servers.
No luck? Check out Status > System Logs > Authentication for any indicators. It’s relatively verbose. I found that most of my errors were LDAP lookup errors, like bind account authentication and method.
I’d highly encourage you to review PfSense documentation as well.