This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP groups with FreeIPA

Hi,
I've been able to connect my UTM 9.3 to FreeIPA 3.3.x for basic user/password authentication to the web portal and ssl client vpn.  However, I've been unable to get the UTM to use the user groups on FreeIPA to determine a user's access to an object.  I suspect the problem has to do with FreeIPA using nested groups.  I'm wondering if anyone has solved this, perhaps even using a version of Active Directory or other backend?  Thanks for any tips!


This thread was automatically locked due to age.
Parents Reply
  • Geiasou and welcome to the UTM Community!

    You must [Save] a server definition first, and then you can [Test] it.  I recommend that you use a unique user for the 'Bind DN' so that changing the admin password doesn't create issues for the UTM configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

    I see you 've done some research (Geiasou) ;)
    Are you administrating this site?

    Well I would appreciate some exact directions and screenshots, for me and for the future generations :p

    F.i.: Server Definition you mean: Definitions and users/network definitions/new network definition.

    Choose: type: host
                 DNS settings-->Hostname: sub.example.com

                  save

    Then go to network definitions/authentication services/servers/new authentication server

    Choose the network definition you created before and fill in the Bind DN like this "uid=admin,cn=users,cn=accounts,dc=your_domain,dc=com"


    Then it should work:





    In my case I was previously trying to get it to work installing freeipa-server on Ubuntu 18 and this was a no go... I installed it on Fedora and it seems to be working.


    However test does not work with 636 port and SSL activated. But I 'm happy for the moment and will dig deeper.

    I 've no Idea how to set up users and groups in Sophos for LDAP but I just wanted to answer this one and will keep trying.

    Cheers.

  • In fact, I had friends in university from Greece, but, yeah, languages, dialects and accents are a hobby.

    No, just a Moderator, not an Administrator.

    Saving authentication server definitions before testing is another one of those tricks that isn't documented.  I hadn't noticed that the SSL option was added, but all of my clients use internal servers or connect to them via encrypted tunnels (RED/IPsec/SSL VPN).  You might try creating a new server definition instead of changing from 389 to SSL 636 in an existing definition - did that work?

    See #6 in Rulz for guidance on when users should be synced from the authentication server to the UTM.  Configuring HTTP/S proxy access with AD SSO also applies to LDAP in most places.  I think Douglas has a thread somewhere that delves more deeply into LDAP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    then I guess we have the same hobby...

     

    So, I created a "sophos" group and a "sophosuser" in freeipa.



    This user authenticates successfully under /authentication services/server/user authentication test

     

     

    But when I try to log in to the firewall WebAdmin with this user I can't log in.

    I have the feeling that I am missing something big here, so big that I can't see it :)



    This is how ldap group in the firewall looks like:



    Should I create another group in the firewall? If yes, then how would that look like? The already existing "local" users would they be double then?

    Thanx

     

     

  • So...

     

    In the ldap group Attributes I inserted the following:
    cn=sophos,cn=groups,cn=accounts,dc=mydomain,dc=com

    Note that "sophos" is the group created in the freeipa server.

    Then In the firewall under management/Webadmin settings I chose the LDAP users to be able to login.



    And it worked!