lldap · nitnelave · Apr 27, 2024 · Apr 26, 2024 · Apr 27, 2024
@@ -1,5 +1,8 @@
 # Configuration for pfSense
 
+> [!NOTE]  
+> Replace `dc=example,dc=com` with the same LDAP Base DN that you set via the *LLDAP_LDAP_BASE_DN* environment variable or in `lldap_config.toml`.
+
 ## Create a LDAP Server
 
 - Login to pfSense
@@ -16,7 +19,9 @@
 - Protocol version: `3`
 - Server Timeout: `25`
 
-(Make sure the host running LLDAP is accessible to pfSense and that you mapped the LLDAP port to the LLDAP host)
+> [!NOTE]
+> Make sure the host running LLDAP is accessible to pfSense and that you mapped the LLDAP port to the LLDAP host
+
 ### Search Scope
 ```
 Entire Subtree
@@ -27,18 +32,21 @@ Entire Subtree
 dc=example,dc=com
 ```
 
-This is the same LDAP Base DN that you set via the *LLDAP_LDAP_BASE_DN* environment variable or in `lldap_config.toml`.
 ### Authentication containers
 
 ```
 ou=people
 ```
 
-Note: The `Select a container` box may not work for selecting containers. You can just enter the `Authentication containers` directly into the text field.
+> [!Note]
+> The `Select a container` seach fuction will not work for selecting containers. You enter the `Authentication containers` directly into the text field.
+> This is do to Pfsense running the following filter `"(|(ou=*)(cn=Users))"`, and `Organizational Units` is currently not supported.
 
 ### Extended Query
 
-Enable extended query: `Checked`
+Enable extended query: 
+
+- [X] `Checked`
 
 ### Query:
 
@@ -49,7 +57,8 @@ Enable extended query: `Checked`
 This example gives you two groups in LLDAP, one for pfSense admin access (`pfsense_admin`) and one for guest access (`pfsense_guest`). You **must** create these exact same groups in both LLDAP and pfSense, then give them the correct permissions in pfSense.
 
 ### Bind Anonymous
-`Unchecked`
+
+- [ ] `Unchecked`
 
 ### Bind credentials
 
@@ -80,23 +89,28 @@ cn
 memberof
 ```
 ### RFC 2307 Groups
-`Unchecked`
+
+- [ ] `Unchecked`
 
 ### Group Object Class
-`groupOfUniqueNames`
+```
+groupOfUniqueNames
+```
 
 ### Shell Authentication Group DN
-`cn=pfsense_admin,ou=groups,dc=example,dc=com`
+```
+cn=pfsense_admin,ou=groups,dc=example,dc=com
+```
 
 (This is only if you want to give a group shell access through LDAP. Leave blank and only the pfSense admin user will have shell access.
 
 ### Remaining Server Configuration
 
 Enable the following options on the pfSense configuration page for your LLDAP server (the same page where you entered the prior configuration):
 
-- UTF8 Encodes: `Checked`
-- Username Alterations: `Unchecked`
-- Allow unauthenticated bind: `Unchecked`
+- [X] UTF8 Encodes: `Checked`
+- [ ] Username Alterations: `Unchecked`
+- [ ] Allow unauthenticated bind: `Unchecked`
 
 ### Create pfSense Groups
 
@@ -112,6 +126,9 @@ Go to `System > User Manager > Settings` page. Add your LLDAP server configurati
 
 pfSense includes a built-in feature for testing user authentication at `Diagnostics > Authentication`. Select your LLDAP server configuration in the `Authentication Server` to test logins for your LLDAP users. The groups (only the ones you added to pfSense) should show up when tested.
 
+> [!WARNING] 
+> When running `Save and test`, the `Attempting to fetch Organizational Units from` will fail. This is do to Pfsense running the following filter `"(|(ou=*)(cn=Users))"`, and `Organizational Units` is currently not supported.
+
 ## More Information
 
 Please read the [pfSense docs](https://docs.netgate.com/pfsense/en/latest/usermanager/ldap.html) for more information on LDAP configuration and managing access to pfSense.