Symas OpenLDAP Knowledge Base

OPNsense With OpenLDAP

Create a LDAP Server

  • Login to OPNsense
  • Navigate to: System > Access > Servers
  • Create a new server by clicking on the + icon

Server Config

  • Descriptive Name: A Descriptive Name
  • Type: LDAP
  • Hostname or IP address: Hostname or IP for your OpenLDAP host
  • Port value: Your OpenLDAP port
    • Default: 389
  • Transport: TCP - Standard
  • Protocol version: 3

Make sure the host running OpenLDAP is accessible to OPNsense and that you mapped the OpenLDAP port to the OpenLDAP host.

LDAP Config

Bind credentials

User DN

uid=admin,ou=people,dc=example,dc=com

It is recommended that you create a separate user account (e.g, bind_user) instead of admin for sharing Bind credentials with other services. The bind_user should be a member of the ldap_strict_readonly group to limit access to your LDAP configuration in OpenLDAP.

Password

xxx

Enter the password that you set for the user specified in the User DN field.

Search Scope

One Level

Base DN

dc=example,dc=com

This is the same LDAP Base DN that you set via the OpenLDAP_LDAP_BASE_DN environment variable or in ldap_config.toml.

Authentication containers

ou=people,dc=example,dc=com

Note: The Select box may not work for selecting containers. You can just enter the Authentication containers directly into the text field.

Extended Query

&(objectClass=person)(memberof=cn=ldap_admin,ou=groups,dc=example,dc=com)

It is recommended that you create a unique LDAP group (e.g., ldap_opnsense) in OpenLDAP and use that group in this query instead of ldap_admin. This will limit OPNsense access to users in the ldap_opnsense group and make it easier to synchronize OpenLDAP groups with OPNsense groups for managing OPNsense access.

Initial Template

OpenLDAP

User naming attribute

uid

Optional Configuration

The above configuration will connect OPNsense to OpenLDAP. This optional configuration will synchronize groups between OpenLDAP and OPNsense and automate user creation when an authorized OpenLDAP user logs into OPNsense.

Remaining Server Configuration

Enable the following options on the OPNsense configuration page for your OpenLDAP server (the same page where you entered the prior configuration):

  • Read Properties: Checked
  • Synchronize groups: Checked
  • Automatic user creation: Checked

Create OPNsense Group

Go to System > Access > Groups and create a new group with the same name as the OpenLDAP group used to authenticate users for OPNsense.

By default, you would name your OPNsense group ldap_admin unless you followed the recommended advice in this guide and created a separate ldap_opnsense group for managing OPNsense users.

If you want your OpenLDAP users to have full administrator access in OPNsense, then you need to edit the Assigned Privileges for the group and add the GUI - All pages system privilege.

Enable OpenLDAP as an Authentication Option

Go to System > Settings > Administration page and scroll down to the Authentication section. Add your OpenLDAP server configuration to the Server field.

Testing OpenLDAP

OPNsense includes a built-in feature for testing user authentication at System > Access > Tester. Select your OpenLDAP server configuration in the Authentication Server to test logins for your OpenLDAP users.

More Information

Please read the OPNsense docs for more information on LDAP configuration and managing access to OPNsense.