System: Access: Tester does not return group from user

[ccesario]

Hi,

Tester form does not return Group name of user when using Active Directory as Server

Versions OPNsense 16.7.3-amd64
FreeBSD 10.3-RELEASE-p7
OpenSSL 1.0.2h 3 May 2016

[AdSchellevis]

@ccesario did you import the user first and assign groups to it?

[ccesario]

@AdSchellevis not. I really did not see it. Where can I do it!?

[AdSchellevis]

@ccesario no problem, you should see a cloud symbol in the system -> access -> user screen on the right bottom of the screen. You can import users into the OPNsense configuration, which you can then assign groups and rights.

[ccesario]

@AdSchellevis well, I think that the cloud synbol does not appear in my system.

look this

[AdSchellevis]

ah, I see. it only appears if ldap (/AD) is used as authentication option for the UI. This is handled in the settings (2 menu items below).

[Pimmal]

The same problem is here on my side: Tester form does not return Group name of user when using Active Directory as Server

[AdSchellevis]

Groups are only supported if LDAP (/AD) is used as authentication for the webgui, System -> Access -> Settings, then choose your server. Next import users into the configuration.
There currently are no other services which make use of groups.

[Pimmal]

Import users into the configuration.

The Users are created in AD, were i have to import the users?
If i have to import the users then AD auth makes no sense.

[AdSchellevis]

If you want to assign rights within OPNsense, you need to import users, if you just want to use the connector (e.g. openvpn, ipsec), you don't need to assign privileges and therefore don't need to import the users into the firewall (and hence don't need the assigned groups either).
LDAP (/AD) is used for authentication only, authorisation is handled within the product itself.

For reference, the original issue was solved in this issue #266
The reason for handling authorisation locally is simple, keep the acl structure clean and simple without interaction to other services. Like in a lot of other products the "linking pin" needs to be stored in the product to use it.

We do need some documentation about this subject.

[Pimmal]

But it makes no sense to create the users in opnsense localy, i use the AD auth to administrate the opnsense admins in AD, like in pfsense. There all users with the AD Groups pfsense-admin have access to the admin features. I would prefere to do the same in opnsense, if this is not possible then i have to use the non stable pfsenseproduct.

Because i would only one place to administrate all things and this place is the active directory, thats the idea from active directory.

[AdSchellevis]

You could write your own scripting to synchronize users between the two (or sponsor the feature). We don't supply scripting for this at the moment.
The hook pfSense has to query the groups from within the authentication request won't make it to OPNsense (architectural choice). Synchronisation could reach a similar behaviour.

[AdSchellevis]

@jschellevis added documentation https://docs.opnsense.org/manual/how-tos/user-ldap.html