Would you like to learn how to configure OPNsense LDAP authentication on Active directory? In this tutorial, we are going to show you how to authenticate OPNsense users using the Active directory database from Microsoft Windows and the LDAP protocol.

• OPNsense 19.7

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Tutorial - Windows Domain Controller Firewall

First, we need to create a Firewall rule on the Windows domain controller.

This firewall rule will allow the Opnsense server to query the Active directory database.

On the domain controller, open the application named Windows Firewall with Advanced Security

Create a new Inbound firewall rule.

zabbix active directory

Select the PORT option.

Select the TCP option.

Select the Specific local ports option.

Enter the TCP port 389.

zabbix windows firewall port ldap

Select the Allow the connection option.

zabbix windows firewall allow connection

Check the DOMAIN option.

Check the PRIVATE option.

Check the PUBLIC option.

Enter a description to the firewall rule.

windows firewall active directory

Congratulations, you have created the required firewall rule.

This rule will allow Opnsense to query the Active directory database.

Tutorial - Windows Domain Account Creation

Next, we need to create at least 2 accounts on the Active directory database.

The ADMIN account will be used to login on the Opnsense web interface.

The BIND account will be used to query the Active Directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Zabbix active directory account

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate as admin on the Opnsense web interface.

active directory admin accountzabbix active directory admin properties

Create a new account named: bind

Password configured to the BIND user: 123qwe..

This account will be used to query the passwords stored on the Active Directory database.

active directory bind accountzabbix active directory ldap bind properties

Congratulations, you have created the required Active Directory accounts.

OPNsense - OPNsense LDAP Authentication on Active Directory

Open a browser software, enter the IP address of your Opnsense firewall and access web interface.

In our example, the following URL was entered in the Browser:

• https://192.168.15.11

The opnsense web interface should be presented.

opnsense login

On the prompt screen, enter the OPNsense Default Password login information.

• Username: root
• Password: Password set during OPNsense the installation

After a successful login, you will be sent to the OPNSense Dashboard.

opnsense dashboard

Access the Opnsense System menu, access the Access sub-menu and select the Servers option.

opnsense servers menu

Click on the Add button and perform the following configuration.

• Descriptive name: LDAP
• Type: LDAP
• Hostname or IP address - 34.212.170.252
• Port value - 389
• Transport - TCP Standard
• Protocol Version - 3
• Bind credentials - CN=bind,CN=Users,DC=tech,DC=local
• Bind credentials Password - 123qwe.
• Search scope - Entire Subtree
• Base DN - DC=tech,DC=local
• Authentication containers - CN=Users,DC=TECH,DC=LOCAL
• Initial Template - Microsoft AD
• User naming attribute - sAMAccountName
• Read properties
• Synchronize groups
• Limit groups

You need to change the IP address to your domain controller IP.

You need to change the domain information to reflect your Network environment.

You need to change the bind credentials to reflect your Network environment.

opnsense ldap authentication

Click on the Save button to finish the configuration.

In our example, we configured the LDAP server authentication on the OPNsense firewall.

OPNsense - Testing LDAP Authentication

Access the Opnsense System menu, access the Access sub-menu and select the Tester option.

Select the LDAP authentication server.

Enter the Admin username, its password and click on the Test button.

If your test succeeds, you should see the following message.

opnsense ldap authentication test

Congratulations! Your OPNsense LDAP authentication on Active directory was sucessfully configured.

OPNsense - LDAP Group Permission

Access the Opnsense System menu, access the Access sub-menu and select the Groups option.

opnsense servers menu

Add a new local group on the OPNsense firewall.

On the Group creation screen, perform the following configuration:

• Group name - opnsense-admins
• Description - Ldap group
• Member of - optionally you may add the root user account.

Click on the Save button, you will be sent back to the Group configuration screen.

opnsense radius group

Now, you need to edit the permissions of the opnsense-admins group.

On the opnsense-admins group properties, locate the Assigned Privileges area and click on the Add button.

On the Group privilege area, perform the following configuration:

• Assigned privileges - GUI - ALL pages

opnsense group permission

Click on the Save button to finish the configuration.

OPNsense - LDAP User Permission

OPNsense requires all Ldap user accounts to exist on the local database to perform the proper authorization configuration.

We are going to add the admin user account to the local database.

We are going to configure the local account named admin member of the opnsense-admins group.

Access the Opnsense System menu, access the Access sub-menu and select the Users option.

opnsense servers menu

Add a new local user account using the same username from the Active directory account.

opnsense radius user

Make this user account member of the opnsense-admins group.

opnsense radius user group

Click on the Save button to finish the configuration.

OPNsense - Enable the LDAP Authentication

Access the Opnsense System menu, access the Settings sub-menu and select the Administration option.

opnsense administration menu

Locate the authentication area, select the LDAP authentication and click on the Save button.

opnsense ldap active directory

Optionally, select the local database as the second authentication method.

After finishing your configuration, you should log off the Opnsense web interface.

Try to login using the admin user and the password from the Active Directory database.

On the login screen, use the admin user and the password from the Active Directory database.

• Username: admin
• Password: Enter the Active directory password.

opnsense login

Congratulations! You have configured the OPNsense authentication to use the Active directory database using LDAP.