Go to your IPA admin page and create a new user named opnsense. Log in once on any computer joined to the FreeIPA realm and set their password (since the one you provide upon account creation will be expired), then logout.
Next we are going to go to System -> Access -> Servers and add an LDAP Server.
| Server | ipa.example.com |
| Port | 389 |
| Transport | TCP - Standard |
| Peer Certificate Authority | # use whatever you have set up on OPNSense. Set up a simple CA if you have none> |
| Protocol Version | 3 |
| Bind Credentials User_DN | uid=opnsense,cn=users,cn=accounts,dc=example,dc=com |
| Bind Credentials Password | # Password for the opnsense user we created earlier. |
| Search Scope | Entire Subtree |
| Base DN | dc=example,dc=com |
| Authentication Containers | # select all options from the list |
| User Naming Attribute | uid |
Go to System -> Access -> Tester and try logging in with an IPA user to test your configuration. You should be able to successfully authenticate any IPA user here.
Go to System -> Access -> Users and click the cloud import button in the bottom right to begin importing an LDAP user.
Usually I would think so too but it seems to be strongly discouraged by the makers of IPA. There is no propper way to create service users without a third party tool from the community. I think this is due to IPAs design around kerberos but I don't really know tbh. In the end I found that I need fully fledged users for every service anyways so they can authenticate to my mail server for notifications but if you or anyone else knows better I'd be happy to hear out your way of handling these things.