Last Updated on August 14, 2022 by Thiago Crepaldi
In this article I’m going to show how to authenticate users on your pfSense using LDAP server powered by Synology DSM. The steps will include SSL encryption based on Let’s Encrypt certificates. You need to issue Let’s Encrypt SSL certificates, configure SSL certificates on your pfSense, and finally configure SSL certificates on your Synology that you issued from pfSense. Both pfSense and Synology need to have the same certificates installed.
Configure LDAP server on Synology DSM
Login to your Synology NAS, open the Package center, search for LDAP and click on Install button. Once installation is finished, click on Open to begin the configuration. Next, go to Settings tab, click on Enable LDAP server and put the full domain name that matches the domain on your SSL certificate on the FQDN text box. Pick a password that all your LDAP clients, including the pfSense appliance, will use to bind with the server. Click on Connection settings and check all three boxes and click Ok. For extra context, here is a brief explanation on what each check box will do on your LDAP server:
- Disallow anonymous binds forces clients to use the password from the previous step to connect to LDAP server
- Force clients to use encrypted connections enabled SSL authentication to add more security to your network
- Kick idle connections (minutes) kills connections from clients that are not actively exchanging data with the server
You can make changes to these selections as appropriate, but I recommend using all three features for a tighter security. Finish configuration by clicking Apply. Take note of Base DN and Bind DN. at the bottom of the page as we are going to use it, along with FQDN and password.
At this point, the LDAP server is up and running. Time to populate users and groups to use it on pfSense. Go to Manage groups tab and click on Create button. In the new group dialog, type pfsense_admins as Group name and click Next. A confirmation screen will be displayed and you can Apply to finish the process.
Let’s create a user that will be able to login and manage your pfSense deice by going to Manage users tab and clicking on Create. In the new user dialog, type a username on Name, Email, Password and make sure the box Disable this account is unchecked before proceeding to Next. The next screen shows a list of groups you can join the new user. Make sure at least pfsense_admins is checked before clicking Next. The next screen has a bunch of optional fields that you can fill in as pleased. Click Next to get to the confirmation screen, which you can click Apply. Now you have a running LDAP server with a new user which belongs to the pfsense_admins group.
To test your connection, you can install Apache Directory Studio and configure a LDAP connection to your Synology. Once it is installed, click on the new connection icon, which will start a wizard. Select LDAP Connection under LDAP Browser category and click Next, type a meaning Connection name and the full domain name on the Hostname field (must match the domain name on SSL certificate). Port must be 389 and Encryption method must be Use StartTLS extension. Click on Check network parameter to make sure your LDAP server can be reached and go to the Next step. Keep Authentication method as Simple authentication and type the Bind DN from you Synology on the Bind DN or user along with the Password and click on Check authentication to make sure authentication is fine and click on Finish afterwards. Now you can connect to your LDAP and browse the LDAP database to see its contents. Note you will find a cn=users and cn-groups with the user and group you created before. Now we are ready to configure pfSense
(optional) Allowing LDAP connection through daisy chained routers
My homelab has two chained routers, which creates two different networks. If you don’t have this topology, you can skip this section. I’ve opted for this approach as I enjoy Unifi’s powerful Access Points and nice integration with UDM Pro, but I don’t trust them for securing my home, so I delegated security and VPN to pfSense. You can configure pfSense + UDM Pro to work together through this post too. Anyway, given my scenario, my LDAP server is behind UDM Pro, which is a different network from pfSense. What we have to do here is 1) to create a firewall rule on the UDM-Pro to allow an incoming connection from pfSense to passthrough UDM Pro, then we need to 2) forward port 389 from UDM Pro to your Synology NAS with LDAP server running and finish off by 3) creating a DNS entry on the pfSense to manually resolve the Synology hostname to the UDM Pro IP.
Let’s start with the firewall rule on UDM Pro. After login, go to Network >> Settings >> Internet security >> Firewall. At Rules tab, click on WAN and Create new rule and fill in the fields as follows:
- Type: WAN local
- Description: Allow LDAP SSL (hosted on XXX server)
- It is important to have a description that explains why it is needed for future maintenance.
- Enabled: Checked
- Rule applied: Before predefined rules
- Action: Accept
- IPv4 protocol: TCP
- Match all protocols except for this: Unchecked
- Source type: IP Address
- IPv4 Address: pfSense LAN IP (e.g. 10.0.0.1)
- Port: blank
- MAC address: blank
- Source type: IP Address
- IPv4 Address: UDM Pro LAN IP on pfSense network (e.g. 10.0.0.2)
- Port: 389
All the other settings can remain as is. Click on Apply and you should see your new rule listed on WAN rules tab.
For debugging, I recommend that you create a similar firewall rule that allows ICMP in the IPv4 Protocol field and Echo request in the IPv4 ICMP Type Name subfield. Source and Destination settings are the same as before and a meaning Description would be something like Allow ICMP on WAN local (pfSense -> UDM Pro).
At this stage, any connection that is coming from your pfSense towards UDM Pro using TCP port 389 is accepted by the firewall. The next logical step is making UDM Pro to forward this port to the correct device, which is the Synology device (192.168.1.2 in this tutorial).
Go to Settings >> Gateway >> Port forwarding and click on Create new port forwarding rule and fill in as follows:
- Name: Forward LDAP SSL port to Synology
- Enable forward rule: Checked
- From: Limited
- Source: pfSense IP (e.g. 10.0.0.1)
- Port: 389
- Forward IP: Synology IP on UDM Pro network (e.g. 192.168.1.2)
- Forward port: 389
- Protocol: TCP
- Enable logging: unchecked
Click on Apply and you should see your new port forwarding rule listed. At this point, a LDAP SSL connection coming from pfSense towards the Synology server should passthrough the UDM Pro. The missing link is resolving the full domain name of the Synology server (e.g. synology.lan.domain.com) to the UDM Pro IP address. As pfSense doesn’t know names resolved by UDM Pro, we will create a static rule for this.
(optional) Handling chained routers
This first step can be skipped if you are not using chained routers. It will make pfSense resolve Synology’s name to the UDM Pro IP. After login, go to Services >> DNS Resolver and scroll down to the Host overrides table and click on Add and fill in as follows:
- Host: Hostname of your Synology as known by your UDM Pro DNS (e.g. synology)
- Domain: Domain name of your UDM Pro (e.g. lan.domain.com). My pfSense and UDM Pro have the same domain name, but this is not a strict requirement
- IP address: UDM Pro IP address on pfSense network (e.g. 10.0.0.2)
- Description: Resolving Synology name to UDM Pro IP (NAT)
Click on Save and Apply changes for the changes to take effect. Test the DNS entry by going to Diagnostics >> Ping and enter the full name of your Synology device and click Ping. If you did everything right, you should see that the Synology.lan.domain.com was resolved to something like 10.0.0.2 and that there was 0.0% packet loss.
Configuring LDAP as Authentication server
After going through all the previous steps, pfSense can reach the LDAP server, which already has a user and group in the database.
Allowing pfSense to authenticate users through LDAP is a 3 steps process:
Adding LDAP server as authentication server
After login, go to System >> User Manager >> Authentication Servers and click Add and do as follows:
- Descriptive Name: Synology LDAP
- Type: LDAP
- Hostname or IP address: If you are using SSL, type your full qualified domain name for the Synology matching the certificate name (e.g. synology.lan.domain.com). If you didn’t check the Force clients to use encrypted connections during LDAP configuration on the Synology, you can use UDM Pro IP directly
- Port value: 389
- Transport: TCP – STARTTLS
- Peer Certificate Authority:Global Root CA List
- Protocol version: 3
- Search scope:
- Level: Entire Subtree
- Base DN: This can be found on your Synology LDAP server settings page (e.g. dc=synology,dc=lan,dc=domain,dc=com)
- Authentication containers: cn=users
- Extended query: checked for improved security (only users from pfsense_admins group will be allowed to authenticate on pfSense)
- Query: Prepend ‘memberOf=cn=pfsense_admins,cn=groups’ to the base DN (e.g. memberOf=cn=pfsense_admins,cn=groups,dc=synology,dc=lan,dc=domain,dc=com)
- Bind anonymous: unchecked
- Bind credentials: Use Bind DN and password from Synology LDAP server configuration (e.g. uid=root,cn=users,dc=synology,dc=lan,dc=domain,dc=com)
- User naming attribute: uid
- Group naming attribute: cn
- Group member attribute: memberOf
- RFC 2307 Groups: unchecked
- Group Object Class: posixGroup
- UTF8 Encode: checked
- Username Alterations: blank
Click on Save and test your connection by going to Diagnostics >> Authentication and do as follows:
- Authentication Server: Select the LDAP connection from the previous step
- Username: username created during Synology LDAP server configuration
- Password: password for the user created on Synology LDAP server
Click on Test and you should see a message like ‘User <your_user> authenticated successfully. This user is a member of groups: ‘. Note that although authentication was successful, your LDAP user doesn’t belong to any group recognized by pfSense. We will fix that in the next step
Adding remote group from Synology LDAP server
Now that pfSense can recognize users from Synology’s LDAP server, we have to create a local group that will be used to map the remote group on LDAP.
Go to System >> User Manager >> Groups, click on Add and do as follows:
- Group name: pfsense_admins or whatever name you used on LDAP server configuration. The group name between Synology and pfSense must match!
- Scope: Remote
- Description: Synology LDAP group
- Group membership: do not add any local user here
- Assigned Privileges: click on Add, select WebCfg – All pages and click on Save
Click on Save and test the group mapping by going to Diagnostics >> Authentication as described before. If there is no typo, you should see something like:
User <your_user> authenticated successfully. This user is a member of groups: pfsense_admins
Assigning LDAP connection to pfSense login mechanism
Now that pfSense recognizes your LDAP server and knows which groups to look for authorization, the last step is instructing pfSense to consult LDAP database during user login.
Go to System >> User Manager >> Settings page. At Authentication Server field select the LDAP connection as opposed to Local database. When you click at Save and Test, you should see a dialog in which pfSense succeeds is 1) connecting, 2) binding, 3) fetching organizational units from LDAP server. A list with at least three OUs will be listed.
In order to perform the last test, click on Logout icon on the top left corner of screen. In the login screen, type your LDAP username and password and you should login just like when you use your local account on pfSense.
3 thoughts on “Configuring pfSense authentication through Synology LDAP server”
Again – great guides thanks. I can get this working without authenticating the connection, without SSL/STARTTLS, and without the LDAP group filter to pfsense_admins, but adding any of those steps results in pfsense not being able to connect to the Synology LDAP server.
A couple of questions, when you use STARTTLS (which I am trialling for this project to get my head around things, but I’m not sure whether this will be an issue for me later with MacOS clients I want to try and get working with Synology LDAP server), did you change the certificate in Synology for the LDAP server to the one SSL cert you created previously in Acme? It isn’t in the instructions so I assumed not (and are just using the self signed cert that is the default), and I can see you also left (in pfSense) the Peer Certificate Authority as Global Root CA rather than switching to R3?
Otherwise I’m scratching my head a bit, particularly around why the group filter and authenticated connections fail (on the later, I’ve been using Client specific user profiles for other services connecting to Synology LDAP, but neither a pfSense specific client user, or the root seem to work for pfSense).
Any thoughts appreciated.
Just to add; I’ve gotten the authenticated connection working using a client specific profile, but the memberOf steps and changing to STARTTLS both currently break the connection (authentication fails) if I add either of those steps). Any ideas what I may be missing here? I have left ‘disallow anonymous binds’ and ‘force secure connections’ both off at this stage.
I can see the following; Synology DSM can connect to Synology LDAP Server using STARTTLS locally, MacOS doesn’t support disallowing anonymous binds from what I can gather/research (I haven’t gotten MacOS to connect yet – I don’t get an authentication failure but after entering user credentials, it just presents the spinning wheel icon forever until you force restart).
I have also changed the SSL cert for Synology LDAP Server to use the certificate I created from your ACME SSL guide (I’ve tried this and the default, neither seem to work).
I have also checked nothing funny with firewall rules potentially blocking ports, I’m currently trying to figure out how to check any logs for hints as to what the problem may be.