Cart

    Sorry, we could not find any results for your search querry.

    Using an LDAP server with pfSense

    When using a Windows network with a pfSense firewall, you may want to authenticate pfSense admins and VPN users via an Active Directory (via the LDAP protocol). In order to do this, a number of steps are required on both your Domain Controller and pfSense server. In this tutorial we outline those steps.

    This tutorial requires at least a private network that includes a Windows Server configured as an Active Directory Domain Controller and a pfSense firewall.


     

    Step 1

    Connect to your DC via Remote Desktop or the VPS console.

    Windows uses the LDAP protocol to communicate with a Domain Controller (DC). This protocol can be abused in (D)DoS attacks. We therefore monitor our network for publicly accessible LDAP servers and block the LDAP port if necessary.

    If you have already secured the LDAP port (UDP) on your DC so that only servers on your private network can connect to it, skip to step 5.


     

    Step 2

    Click the start button and use the search term 'Firewall'. Alternatively, you can also find the firewall in the Server Manager under 'Tools'. In the search results, click 'Windows Firewall with Advanced Security'.

    windows start search for firewall


     

    Step 3

    Click 'Inbound Rules'. Most likely you already have two LDAP rules in this overview called 'Active Directory Domain Controller - LDAP' for TCP-In and UDP-In, or you have already created your own LDAP rule.

    Now double click the LDAP rule for UDP traffic.

    firewallldap udp in


     

    Step 4

    First check in the 'General' tab that the option 'Allow the connection' is selected.

    windows firewall ldap udp in general allow

    Then click the 'Scope' tab and then under 'Remote IP address' click 'Add'.

    windows firewall ldap udp in scope remote

    Enter the subnet (your IP range) that you use for your private network (see this manual), for example 192.169.0.0/24 and click 'OK'.

    windows firewall rule add ip address

    Click 'Apply' and 'OK' to apply the changes and close the window.


    Step 5

     

    Next we create the necessary group in the Active Directory.

    Click the Windows Start button, type 'Active Directory Users and Computers' and click the result.

    windows start active directory users computers


     

    Step 6

    Click the name of your domain and then click 'Users'.

    windows aduc domain users


     

    Step 7

    In the list of users, right-click an empty space and select 'New' > 'User', or use the shortcut icon at the top of the window.

    windows aduc new user


     

    Step 8

    Give the new user a recognizable name such as pfbind or pfldap. We use this account for communication with the Active Directory database (in pfSense this is the Bind user).

    windows aduc new user pfldap


     

    Step 9

    Enter a password and click 'Next'.

    windows aduc new user admin pass


     

    Step 10

    Click 'Finish' to close the wizard.

    windows aduc new user admin finish


     

    Step 11

    In the list of users, right-click an empty spot and select 'New' > 'Group', or use the shortcut icon at the top of the window to create a new group.

    windows aduc new group


     

    Step 12

    Give the group a name, for example 'pfsense' or 'pfsense admin' for a group that includes pfSense admins, or 'pfsense vpn' for a group of OpenVPN users.

    windows aduc new group pfsense


     

    Step 13

    In the ADUC tool, double click the name of the newly created group and click the 'Members' tab and then click 'Add'.

    windows aduc pfsense members

    Now search for the name of a user you want to add to this group and repeat this step until all desired users have been added to the group.


     

    Step 14

    Now log in to the pfSense web interface as admin and in the top menu click 'System' > 'User Mamager'.

    pfsense system user manager


     

    Step 15

    Click the 'Authentication Servers' tab and then 'Add'.

    pfsense authentication servers add


     

    Step 16

    Fill in the form as in the example below and use your own details for the following points:

    • Hostname or IP address: The IP address or subdomain name of your Domain Controller.
       
    • Base DN: The domain name of your Windows domain, as you set it up in step 13 of our Active Directory tutorial. You divide the domain name by placing DC= in front of each part. For example, for the domain transip.local, this becomes DC=transip,DC=local (no spaces!).
       
    • Authentication Containers: The name of the folder in your active directory where you add users and groups with the addition CN= (always 'CN=Users') in combination with your Base DN (see previous point), for example CN=Users,DC =transip,DC=local
       
    • Bind credentials: The suffix CN= with the name of the Bind user from step 7 onwards of this guide, along with the Authentication Containers, for example CN=pfldap,CN=Users,DC=transip,DC=local

    pfsense authentication servers edit


     

    This brings us to the end of this tutorial on how to configure an LDAP server in pfSense.

    Need help?

    Receive personal support from our supporters

    Contact us