This Module should allow configuring access methods to OPNsense GUI (LDAP, Radius, Voucher) under System -> Access -> Server.
Minimum Viable Product (MVP)
module: system_access_servers
short_description: Configure access methods used for authentication on the Webgui
description:
- This Module allows you to configure different access methods (ex: LDAP) to secure the Web frontend of the OPNsense firewall.
options:
description:
description: "Descriptive name of your access server"
required: true
type: str
type:
description: "The access type you want to configure"
required: true
default: LDAP
choices:
- LDAP
- LDAP + Timebased One Time Password
- Local + Timebased One Time Password
- Radius
- Voucher
type: list
elements: str
hostname:
description: "Hostname or IP address of your access server instance"
required: true
type: str
port:
description: "Port of your access server instance."
required: true
default: 389
type: int
transport:
description: "Transport protocol to use to connect to your server. When choosing StartTLS or SSL, please configure the required private CAs in System -> Trust "
required: true
default: TCP - Standard
choices:
- TCP - Standard
- StarTLS
- SSL - Encrypted
type: list
elements: str
protocol_version:
description: "Select protocol version"
default: 3
choices:
- 3
- 2
type: list
elements: int
bind_credentials:
description: "Bind user and credentials specified with two keys user_dn and password"
choices:
- user_dn: <CN=Binduser,OU=Staff,O=Company,DC=example,DC=com>
- password: <password for bind user>
type: dict
search_scope:
description: "The scope of how many levels the Base DN get searched for users."
required: true
default: "One Level"
choices:
- One Level
- Entire Subtree
type: list
elements: str
authentication_containers:
description: "Semicolon-separated list of distinguished names DC= components."
required: true
type: str
extended_query:
description: "Extended LDAP Query to map additional attributes."
type: str
initial_template:
description: "Select if using OpenLDAP, Microsoft AD or Novell eDirectory"
required: true
default: "OpenLDAP"
choices:
- OpenLDAP
- Microsoft AD
- Novell eDirectory
type: list
elements: str
user_naming_attribute:
description: "LDAP attribute to map usernames."
required: true
default: "cn"
type: str
read_properties:
description: " Normally the authentication only tries to bind to the remote server, when this option is enabled also the objects properties are fetched, can be practical for debugging purposes. "
default: false
type: bool
synchronize_groups:
description: "Synchronize groups specified by memberOf or class attribute after login, this option requires to enable read properties. Groups will be extracted from the first CN= section and will only be considered when already existing in OPNsense. Group memberships will be persisted in OPNsense."
default: false
type: bool
constraint_groups:
description: " Constraint allowed groups to those selected in the container section. This may offer additional security in cases where users are able to inject memberOf attributes in different trees. "
default: false
type: bool
limit_groups:
description: " Limit the groups which may be used by this authenticator, keep empty to consider all local groups in OPNsense. When groups are selected, you can assign unassigned groups to the user manually "
default: "Nothing selected
type: list
elements: string
automatic_user_creation:
description: " To be used in combination with synchronize groups, allow the authenticator to create new local users after successful login with group memberships returned for the user. "
default: false
type: bool
match_case_insensitive:
description: " Allow mixed case input when gathering local user settings. "
default: false
type: bool
state:
description: "Whether to add or update (`present`) or remove (`absent`) an server access configuration.
type: str
choices:
- present
- absent
elements: str
Examples
Example1: Adding an ldap access server (simple)
---
- name: Configure ldap authentication server without a bind-user
puzzle.opnsense.system_access_servers:
description: "My ldap server"
hostname: "ldap.example.com"
base_dn: "dc=example,dc=com"
authentication_container: "ou=sysadmins,dc=example,dc=com"
Example2: Adding an ldap access server using ldaps and a binduser
---
- name: Configure ldaps authentication server with a bind-user
puzzle.opnsense.system_access_servers:
description: "My ldap secured server"
hostname: "ldap.example.com"
port: 636
transport: "SSL - Encrypted"
bind_credentials:
user_dn: "uid=mybinduser,ou=bindusers,dc=example,dc=com"
password: "secret123"
base_dn: "dc=example,dc=com"
authentication_container: "ou=sysadmins,dc=example,dc=com"
Additional Notes (Optional)
* Be aware that this module request currently only takes the LDAP access type into consideration.
The options of the module will change depending on the type selection. This can be verified in the Webgui
when selecting a different Type. For completion the choices are listed in the option `type` but the fields only
reflect the options required for the LDAP access Type.
* You have to activate the option "read_properties" in order to configure the options synchronize_groups,
constraint_groups or automatic_user_creation (tested on webgui)
Module Description
This Module should allow configuring access methods to OPNsense GUI (LDAP, Radius, Voucher) under System -> Access -> Server.
Minimum Viable Product (MVP)
Examples
Example1: Adding an ldap access server (simple)
Example2: Adding an ldap access server using ldaps and a binduser
Additional Notes (Optional)