Add pfSense example

This commit is contained in:
Bob Carlson 2023-01-02 13:57:57 -06:00
parent c64d32e2c0
commit ee0a891505

View File

@ -0,0 +1,53 @@
# Configuration for pfSense
Note: Using the test feature in pfSense does not appear to work, and LDAP users do not appear in the Users tab,
these are likely bugs in pfSense.
This is only a basic configuration, allowing all valid users in the group to have full permissions.
Go to System > User Manager > Authentication Servers and Add.
Use the following settings. Non-default options are bolded.
Assuming `dc=example,dc=com` and a user for authentication called `cn=auth` in `lldap_strict_readonly`.
| Key | Value |
|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Hostname or IP address** | Address of LDAP server |
| Port value | `389` |
| Transport | `Standard TCP` |
| Peer certificate authority | `Global Root CA List` |
| Protocol version | `3` |
| Server timeout | `25` |
| **Search scope level** | `Entire subtree` |
| **Search scope base DN** | `dc=example,dc=com` |
| **Authentication containers** | `ou=people` |
| **Extended query** | enabled |
| **Query** | `&(objectClass=person)(memberof=cn=admins,ou=groups,dc=example,dc=com)` This will require users to be in the `admins` group. Remove that part to allow all users. |
| **Bind anonymous** | disabled (if desired, also set credentials if disabling) |
| **Bind credentials** | username: `cn=auth,ou=people,dc=example,dc=com` |
| **User naming attribute** | `uid` |
| Group naming attribute | `cn` |
| **Group member attribute** | `memberUid` |
| **RFC 2307 Groups** | enabled |
| RFC 2307 User DN | disabled |
| **Group Object Class** | `group` |
| **Shell Authentication Group DN** | optional |
| UTF8 Encode | disabled (may be supported but was not tested) |
| Username Alterations | disabled |
| **Allow unauthenticated bind** | disabled |
Save and change to the Settings tab. Change Authentication Server to the one you just created and save.
You will still be able to log in with the local database.
Change to the Groups tab.
Add a new group (here called `pfsense_admin`), your user(s) will of course need to be in the group.
| Key | Value |
|------------------|----------------------------------|
| **Group name** | `pfsense_admin` |
| **Scope** | `Remote` |
| **Description** | Can be anything, but is required |
| Group membership | Do not add any users |
Save the group, then click the edit button. In the Assigned Privileges section, click Add then select all permissions.
Save and save.