Would you like to learn how to configure OPNsense LDAP authentication on Active directory? In this tutorial, we are going to show you how to authenticate OPNsense users using the Active directory database from Microsoft Windows and the LDAP protocol.
• OPNsense 19.7
Equipment list
The following section presents the list of equipment used to create this tutorial.
As an Amazon Associate, I earn from qualifying purchases.
OPNsense - Related Tutorial:
On this page, we offer quick access to a list of tutorials related to OPNsense.
Tutorial - Windows Domain Controller Firewall
First, we need to create a Firewall rule on the Windows domain controller.
This firewall rule will allow the Opnsense server to query the Active directory database.
On the domain controller, open the application named Windows Firewall with Advanced Security
Create a new Inbound firewall rule.
Select the PORT option.
Select the TCP option.
Select the Specific local ports option.
Enter the TCP port 389.
Select the Allow the connection option.
Check the DOMAIN option.
Check the PRIVATE option.
Check the PUBLIC option.
Enter a description to the firewall rule.
Congratulations, you have created the required firewall rule.
This rule will allow Opnsense to query the Active directory database.
Tutorial - Windows Domain Account Creation
Next, we need to create at least 2 accounts on the Active directory database.
The ADMIN account will be used to login on the Opnsense web interface.
The BIND account will be used to query the Active Directory database.
On the domain controller, open the application named: Active Directory Users and Computers
Create a new account inside the Users container.
Create a new account named: admin
Password configured to the ADMIN user: 123qwe..
This account will be used to authenticate as admin on the Opnsense web interface.
Create a new account named: bind
Password configured to the BIND user: 123qwe..
This account will be used to query the passwords stored on the Active Directory database.
Congratulations, you have created the required Active Directory accounts.
OPNsense - OPNsense LDAP Authentication on Active Directory
Open a browser software, enter the IP address of your Opnsense firewall and access web interface.
In our example, the following URL was entered in the Browser:
• https://192.168.15.11
The opnsense web interface should be presented.
On the prompt screen, enter the OPNsense Default Password login information.
• Username: root
• Password: Password set during OPNsense the installation
After a successful login, you will be sent to the OPNSense Dashboard.
Access the Opnsense System menu, access the Access sub-menu and select the Servers option.
Click on the Add button and perform the following configuration.
• Descriptive name: LDAP
• Type: LDAP
• Hostname or IP address - 34.212.170.252
• Port value - 389
• Transport - TCP Standard
• Protocol Version - 3
• Bind credentials - CN=bind,CN=Users,DC=tech,DC=local
• Bind credentials Password - 123qwe.
• Search scope - Entire Subtree
• Base DN - DC=tech,DC=local
• Authentication containers - CN=Users,DC=TECH,DC=LOCAL
• Initial Template - Microsoft AD
• User naming attribute - sAMAccountName
• Read properties
• Synchronize groups
• Limit groups
You need to change the IP address to your domain controller IP.
You need to change the domain information to reflect your Network environment.
You need to change the bind credentials to reflect your Network environment.
Click on the Save button to finish the configuration.
In our example, we configured the LDAP server authentication on the OPNsense firewall.
OPNsense - Testing LDAP Authentication
Access the Opnsense System menu, access the Access sub-menu and select the Tester option.
Select the LDAP authentication server.
Enter the Admin username, its password and click on the Test button.
If your test succeeds, you should see the following message.
Congratulations! Your OPNsense LDAP authentication on Active directory was sucessfully configured.
OPNsense - LDAP Group Permission
Access the Opnsense System menu, access the Access sub-menu and select the Groups option.
Add a new local group on the OPNsense firewall.
On the Group creation screen, perform the following configuration:
• Group name - opnsense-admins
• Description - Ldap group
• Member of - optionally you may add the root user account.
Click on the Save button, you will be sent back to the Group configuration screen.
Now, you need to edit the permissions of the opnsense-admins group.
On the opnsense-admins group properties, locate the Assigned Privileges area and click on the Add button.
On the Group privilege area, perform the following configuration:
• Assigned privileges - GUI - ALL pages
Click on the Save button to finish the configuration.
OPNsense - LDAP User Permission
OPNsense requires all Ldap user accounts to exist on the local database to perform the proper authorization configuration.
We are going to add the admin user account to the local database.
We are going to configure the local account named admin member of the opnsense-admins group.
Access the Opnsense System menu, access the Access sub-menu and select the Users option.
Add a new local user account using the same username from the Active directory account.
Make this user account member of the opnsense-admins group.
Click on the Save button to finish the configuration.
OPNsense - Enable the LDAP Authentication
Access the Opnsense System menu, access the Settings sub-menu and select the Administration option.
Locate the authentication area, select the LDAP authentication and click on the Save button.
Optionally, select the local database as the second authentication method.
After finishing your configuration, you should log off the Opnsense web interface.
Try to login using the admin user and the password from the Active Directory database.
On the login screen, use the admin user and the password from the Active Directory database.
• Username: admin
• Password: Enter the Active directory password.
Congratulations! You have configured the OPNsense authentication to use the Active directory database using LDAP.
