Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 10310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP groups with FreeIPA

doncornelius
Hi,
I've been able to connect my UTM 9.3 to FreeIPA 3.3.x for basic user/password authentication to the web portal and ssl client vpn.  However, I've been unable to get the UTM to use the user groups on FreeIPA to determine a user's access to an object.  I suspect the problem has to do with FreeIPA using nested groups.  I'm wondering if anyone has solved this, perhaps even using a version of Active Directory or other backend?  Thanks for any tips!


This thread was automatically locked due to age.
  • 0 in reply to Di Ka

    In fact, I had friends in university from Greece, but, yeah, languages, dialects and accents are a hobby.

    No, just a Moderator, not an Administrator.

    Saving authentication server definitions before testing is another one of those tricks that isn't documented.  I hadn't noticed that the SSL option was added, but all of my clients use internal servers or connect to them via encrypted tunnels (RED/IPsec/SSL VPN).  You might try creating a new server definition instead of changing from 389 to SSL 636 in an existing definition - did that work?

    See #6 in Rulz for guidance on when users should be synced from the authentication server to the UTM.  Configuring HTTP/S proxy access with AD SSO also applies to LDAP in most places.  I think Douglas has a thread somewhere that delves more deeply into LDAP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    then I guess we have the same hobby...

     

    So, I created a "sophos" group and a "sophosuser" in freeipa.



    This user authenticates successfully under /authentication services/server/user authentication test

     

     

    But when I try to log in to the firewall WebAdmin with this user I can't log in.

    I have the feeling that I am missing something big here, so big that I can't see it :)



    This is how ldap group in the firewall looks like:



    Should I create another group in the firewall? If yes, then how would that look like? The already existing "local" users would they be double then?

    Thanx

     

     

  • 0 in reply to Di Ka

    So...

     

    In the ldap group Attributes I inserted the following:
    cn=sophos,cn=groups,cn=accounts,dc=mydomain,dc=com

    Note that "sophos" is the group created in the freeipa server.

    Then In the firewall under management/Webadmin settings I chose the LDAP users to be able to login.



    And it worked!


Unfiltered HTML