pfSense configuration for FreeIPA 4.8.0

pfsense-ldap-freeipa.md

pfSense LDAP configuration for FreeIPA 4.8.0

This is a small guide on how to configure Netgate's pfSense firewall to use the FreeIPA LDAP service.

I. FreeIPA Configuration

I.1. Create a dedicated group

The first step is to create a user group in FreeIPA to manage which user can access the pfSense admin interface. You will be able to create some others groups later if you need to get different profiles on the pfSense admin interface (full admin, vpn admin, etc...).

1. On your FreeIPA admin, go to the user group managment page : Identity >> Groups.
2. Click on the + Add button on the to right corner to access the group creation wizard.
3. Fill the fields of the wizard :
   • Group name : some_name.
   • Description : A description of the purpose of the group.
   • Groupe type : Non-POSIX (this group will only be used for web apps).
4. Click on the Add button to create the user group.

Then, you will need to add one use to the group to perform configuration test later. To add the user , go to the user management page : Identity >> User.

1. Select you user by click on its user login.
2. Go to the User Groups (x) tab.
3. Click the + Add button.
4. Select the wanted group and click on the right arrow.
5. Click the Add button and done!

I.2. Securisation of the LDAP trafic

The use of LDAPS is highly recommended when dealing with authentication request. Two action are needed to set up this secure connexion between your two system :

• an authenticated resquest to the FreeIPA server
• a secure transport of the request

To prevent anonymous (non authenticated) LDAP request to your FreeIPA server, you need to edit the directory config itself :

1. Open your FreeIPA server console with the root account.
2. Create a folder to store your config files and create a new file:

   $: mkdir /root/freeipa_config 
   $: cd /root/freeipa_config 
   $: nano prevent_anonymous_bind.ldif

3. Type the following content in the file and save it:

   dc: cn=config
   changetype: modify
   replace: nsslapd-allow-anonymous-access
   nsslapd-allow-anonymous-access: off
   

4. Modify the directory server using the Directory Manager profile and secret :

   $: ldapmodify -x -D "cn=Directory Manager" -w "<secret_goes_here>" -f prevent_anonymous_bind.ldif
   $: systemctl restart dirsrv@XXXXXX-XX

   The "XXXXXX-XX" correspond to your DC name in upper case.

Then, you need to extract your main Certification Authority certificate to add your CA to the pfSense firewall.

Access the FreeIPA Certificate manager : Authentication >> Certificate and perform the following tasks :

1. Click on the Serial Number of the certificate with the subject " CN=Certificate Authority,O=XXXXX.XX"
2. Click on the Action button then on Download

II. pfSense Configuration

II.1. Import the Certification authority

Go to the CA manager dashboard : System >> Certificate Manager >> CAs then :

1. Click the + Add green button
2. Add a meaningful description to your CA.
3. Select the method : Import an existing Certificate Authority.
4. Copy / Paste the content of the downloaded .pem fin in the Certificate data text area.
5. Click the Save blue button.

II.2. Add the authentication server

Go to the Authentication server dashboard : System >> User Manager >> Authentication Servers then :

1. Click the + Add green button
2. Fill each field as follow :
   • Descriptive name : A description of the server
   • Type : LDAP
   • Hostname or IP address : ipa_hostname.tld
   • Port value : 636
   • Transport : SSL - Encrypted
   • Peer Certificate Authority : The one you've imported
   • Protocol version: 3
   • Server Timeout : 25
   • Search scope : Entire Subtree (mandatory)
   • Base DN : dc=XXXXX,dc=XX => replace with your own domaine info
   • Authentication containers : cn=users,cn=accounts
   • Extended query : Ticked
   • Query : &(memberOf=cn=GGGG,cn=groups,cn=accounts,dc=XXXXXX,dc=XX) => replace GGGG with the group name & XXXXXX XX with your domaine values
   • Bind anonymous : Unticked
   • Bind credentials :
     • Field 1 : uid=UUUU,cn=users,cn=accounts,dc=XXXXXX,dc=XX => test with the admin account, a proper service account shall be setup later
     • Field 2 : account's password
   • User naming attribute: uid
   • Group naming attribute: cn
   • Group member attribute: memberOf
   • RFC 2307 Groups : Unticked
   • Group Object Class : groupofnames
   • UTF8 Encode : Ticked
   • Username Alterations : Unticked
3. Click on the Save blue button.

II.3. Test the authentication server

Go to the Authentication server diagnostic tool : Diagnostics >> Authentication then :

1. Select the Authentication Server you've juste created.
2. Add known working credentials
3. Press the Test blue button

If everythings works properly, a green box with the user's groups should appear. Otherwise, you have a configuration issue which can be :

• improper configuration of the FreeIPA server :
  • The LDPS server is not enabled, try to revert to LDAP instead
  • There is a Firewall blockage (server side or pfsense side)
  • The ports are not the standard ones
• improper configuration of the pfSense authentication server
  • wrong base DB / Query
  • wrong Group Object Class, set it to posixGroup if you've created a POSIX group on FreeIPA
  • wrong bind credentials
  • wrong DNS config
• And a lot more

II.4. Map the group on pfSense

Go to the Groups manager dashboard : System >> User Manager >> Groups then :

1. Click the + Add green button
2. Fill each field as follow :
   • Group name : The same name as the one you've created in FreeIPA
   • Scope : Remote
   • Description : A description on the purpose of the group + precising the fact that the group is mapped from FreeIPA
   • Group membership : Keep the Members field empty
   • Assigned Privileges : Add the desiered privileges to the group
3. Click on the Save blue button.

II.5 Activate the Authentication server

Go to the Groups manager dashboard : System >> User Manager >> Groups then :

1. Fill each field as follow :
   • Session timeout : 30 (set it to 30 mins of inactivity before login out)
   • Authentication Server: Your brand new LDAP authentication Server -Auth Refresh Time: Leave it empty
2. Click on the Save blue button.

II Test the new LDAP authentication server

You can now safely disconnect from your pfSense firewall and try your LDAP authentication method.

In case the the remote auth doesn't work, the local accounts will still work.

service_account-ldap-freeipa.md

Create a service account on FreeIPA 4.8.0

Prerequisit

• You need to access the FreeIPA LDAP server (physically or remotely)
• Have the Directory Manager credentials
• A place to securely backup configuration files

What to do ?

First of all, open text editor and type the following lines :

dn: uid=<here_the_uid>,cn=sysaccounts,cn=etc,dc=<your_dc>,dc=<your_dc>
changetype: add
objectclass:account
objectclass:simplesecurityobject
uid:<here_the_uid>
userPassword:<here_the_password>
nsIdleTimeout:0

Then replace :

• <here_the_uid> : The uid of your service account
• dc=<your_dc>,dc=<your_dc> : Your LDAP DC identifiers
• <here_the_password> : A secure password for the service account

If you need to add an expiration date to the accout's password, add this line :

   passwordExpirationTime:<unix_timestamp>

And replace <unix_timestamp> by a proper unix timestamp (for the lazy ones : https://www.epochconverter.com/).

Save this file with an explicite name and store it somewhere safe and secure (crypted folder, private repo on private versionning server, other). Please note that the file format is .ldif .

Then open a unix prompt on the FreeIPA server (or define the server IP/Port) and execute the command :

$ ldapmodify -D "cn=Directory Manager" -W -f <your_file>.ldif
Enter Password : <the Directory manager passwd> 

And voila !

Thanks for your reply!!!