Tutorial PFSense 2.0: Active Directory

Xavier Mustin

Staff member
Hey guys,
I couldn't find any good screenshot based tutorials on this so thought i'd write one up. This is to enable Authentication of pfsense using Active Directory and LDAP. This was using Windows Server 2008 r2 which I could connect to over an IPSec tunnel. however its probably easier and more reliable to have your Domain Cotnroller connected to one of the local interfaces on PFsense.

  • Go to system->user manager->servers. Click the add icon
  • Enter a name e.g. your active directory domain name and set the type to LDAP. Enter the IP address of your domain controller
  • Hostname or IP address: Enter the IP address of your domain controller here. I'd recommend the IP in case your DNS is broken which often happens to me. Remember if you are using the DNS name of your domain controller e.g. domaincontroller.pbs.local you need to use your domain controller as the DNS in your general settings of PFsense as it won't resolve otherwise. I'm a big fan of having all my servers on a public IPs and am going to convert my domain to a proper FQDN to help stamp out these DNS problems
  • The Base DN usually follow the format of DC=[part of domain name between a dot],DC=[next part of a domain name before dot or if last part] etc. So my domain name was pbs.local so our base DN is "DC=pbs,DC=local". If my domain name was cooldomainname.com then it would be "DC=cooldomainname,DC=com" (no quotation marks)
  • Authentication Containers are the actual unit within your active directory that your users reside in. I have an OU called "PBS Users" but by default active directory has a CN called "Users". So for most people you would write "CN=Users,DC=firstdomainpart,DC=local.
  • My domain controller didn't allow anonymous LDAP searches so I had to create a username and password on my active directory to authorize pfsense. Interesting it wouldn't work unless I put in the "PBS\" in front even though the accounts themselves don't need that so could be wroth checking for troubleshooting.
  • Use the Microsoft AD as the initial template or just copy my values
  • Now we need to create a group and add an AD user to that group who will have access to PFsense. Interestingly enough I couldn't use the Domain Admins group as Microsoft have some feature in LDAP which stops this from being returned - weird or good security? You decide but its bloody annoying! Anyway, you need to create a group with the SAME NAME in PFsense and give the relevant permissions

  • Go back to system->user manager-> settings and choose the new LDAP authentication server
  • Save everything and go to diagnostics->authentication menu item. Yay it works!