Set up OPNSense with FreeIPA Authentication.

guide.md

Using FreeIPA Authentication with OPNSense

Step 1

Go to your IPA admin page and create a new user named opnsense. Log in once on any computer joined to the FreeIPA realm and set their password (since the one you provide upon account creation will be expired), then logout.

Step 2

Next we are going to go to System -> Access -> Servers and add an LDAP Server.

Server	ipa.example.com
Port	389
Transport	TCP - Standard
Peer Certificate Authority	# use whatever you have set up on OPNSense. Set up a simple CA if you have none>
Protocol Version	3
Bind Credentials User_DN	uid=opnsense,cn=users,cn=accounts,dc=example,dc=com
Bind Credentials Password	# Password for the opnsense user we created earlier.
Search Scope	Entire Subtree
Base DN	dc=example,dc=com
Authentication Containers	# select all options from the list
User Naming Attribute	uid

Go to System -> Access -> Tester and try logging in with an IPA user to test your configuration. You should be able to successfully authenticate any IPA user here.

Step 3

Go to System -> Access -> Users and click the cloud import button in the bottom right to begin importing an LDAP user.

You should be using a ldap service account instead of a full posix user.

You should be using a ldap service account instead of a full posix user.

Usually I would think so too but it seems to be strongly discouraged by the makers of IPA. There is no propper way to create service users without a third party tool from the community. I think this is due to IPAs design around kerberos but I don't really know tbh. In the end I found that I need fully fledged users for every service anyways so they can authenticate to my mail server for notifications but if you or anyone else knows better I'd be happy to hear out your way of handling these things.