PFSense OpenVPN with Zentyal Samba Backend

[eleanor]

Hi,

I would like to setup pfsense with zentyal backend, where the users with their passwords and certificates are stored in Zentyal. I've setup pfsense so that it queries the LDAP correctly: I'm not sure whether I've correctly specified the naming attributes, which are presented on the picture below. I followed these rules: https://forum.zentyal.org/index.php?topic=22954.0 , but those are for Zentyal 3.2, but Zentyal 3.5 started using Samba as LDAP server (openldap is not supported anymore).

Therefore, I would like to know the following:

1. The naming attributes that I need to use when Samba LDAP backend is in use. The details of my current user are presented below, which should make it easier to give me a few tips.

dn: CN=Name Surname,CN=Users,DC=domain,DC=com
cn: Name Surname
sn: Surname
givenName: name
instanceType: 4
whenCreated: 20140802111349.0Z
displayName: Name Surname
uSNCreated: 3859
name: Name Surname
objectGUID:: 4sA53BVs1RS1L6D3ThlZiQ==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AZUAAABBBAUVAABBBNg17vN/27QtOhL68UQQAAA==
accountExpires: 8122377126854785807
logonCount: 0
sAMAccountName: name.surname
sAMAccountType: 8056306568
userPrincipalName: name.surname@domain.COM
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
uidNumber: 2502
gidNumber: 2513
pwdLastSet: 130514516290000000
userAccountControl: 512
homeDrive: H:
homeDirectory: \\zentyal.domain.COM\name.surname
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: systemQuotas
objectClass: organizationalPerson
objectClass: user
memberOf: CN=OpenVPN,CN=Groups,DC=domain,DC=com
mail: name@domain.com
quota: 5000
whenChanged: 20141109102704.0Z
uSNChanged: 3942
distinguishedName: CN=Name Surname,CN=Users,DC=domain,DC=com

2. The user declaration above doesn't hold any certificate information. I've installed VPN module in Zentyal, but I don't want to actually run OpenVPN on the Zentyal server: I would just like to manage users on Zentyal. Therefore, if incorporating users with a certificate is possible in a simple manner, it would be very good to know.

Basically I would like to run Pfsense in front of Zentyal, but pfsense should query zentyal for user credentails and certificates. This is something we would like to have, since managing certificate authority in Zentyal is a breeze.

Any viewpoints are appreciated.

Thank you

[jmccoy555]

This is my pfSense ldap set up with Zentyal 4.0.

I have added a OpenVPN group in Zentyal to control the access to certain members.

[eleanor]

Hi,

Thank you for your reply. Can you also tell me how are the usernames and certificates tied together in Zentyal. Do you allow access to OpenVPN only through user+pass credentials or do you require certificates only. Did you use any special schema for your users, which also enable the certificates field to be used with the users.

I also don't know how does the OpenVPN server running on pfsense gets it's hands on the user certificates?

Thank you

[jmccoy555]

Hi,

I just use the certificate manager in pfSense.

I don't think the openVPN wizard create the user certificate automatically though. So create or import and change the auth setting in the vpn profile.

[eleanor]

Hi,

So what you're basically doing is the following:

1. Create a user in LDAP in Zentyal, which has appropriate username and password. A new certificate for the user is NOT created in Zentyal, but rather in Pfsense.
2. Create a new certificate in Pfsense by using built-in certificate manager?
3. Export the OpenVPN profile through Client Export in Pfsense and use that to connect to the VPN server.

I still have a couple of questions:
1. If I understand your words correctly, you keep the users information in Zentyal, while the certificates are stored in Pfsense?
2. When creating a new certificate in pfsense, how do you ensure it's linked with an existing user from Zentyal?
3. How do you ensure that a certificate of a user B is not allowed to be used to authenticate user A?

I'm still not completely sure how your setup is configured. Can you write a more detailed answer of the steps that you need to take to add a new openvpn user to your setup: zentyal + pfsense?

Thank you

[jmccoy555]

Hi,

If your still looking into this I've responded below

Hi,

So what you're basically doing is the following:

1. Create a user in LDAP in Zentyal, which has appropriate username and password. A new certificate for the user is NOT created in Zentyal, but rather in Pfsense. - Yes
2. Create a new certificate in Pfsense by using built-in certificate manager? - Yes, a server certificate. I used the wizard to create the OpenVPN profile which creates the user certificate in the process.
3. Export the OpenVPN profile through Client Export in Pfsense and use that to connect to the VPN server. - Yep.

I still have a couple of questions:
1. If I understand your words correctly, you keep the users information in Zentyal, while the certificates are stored in Pfsense? - Yes, one server and one user certificate.
2. When creating a new certificate in pfsense, how do you ensure it's linked with an existing user from Zentyal? - I just have one. I'm not sure if you can do this and it I think it would mean that you would have to create a different OpenVPN config file for every user?
3. How do you ensure that a certificate of a user B is not allowed to be used to authenticate user A? I only have one certificate.

I'm still not completely sure how your setup is configured. Can you write a more detailed answer of the steps that you need to take to add a new openvpn user to your setup: zentyal + pfsense? If you like, if the above doesn't answer.

Thank you