Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Google LDAP cert question

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 2 Posters 999 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      chemdream
      last edited by

      Hi there. I've been follow these directions:
      https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html#gsuite-ldap-server

      I have a Netgate with pfSense + ...

      I've used Google LDAP a lot. But not with a Netgate. (Also, it's been a while since I've used it)

      When I test the authentication, it fails.

      Is there a way to see why it failed?

      On the Google side of things, For "read group information" I have disabled. Everything else is enabled.

      Do I need that enabled?

      I'm hoping to use this for L2TP VPN auth. I really don't need to restrict it at all..

      Thank you!!

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Run the test from Diag > Auth

        Then check the logs. Is it just failing to auth or failing bind? Some other error?

        Steve

        1 Reply Last reply Reply Quote 0
        • C Offline
          chemdream
          last edited by chemdream

          It fails at bind.

          I triple checked everything and it all looks right.

          However, I might have done the pfSense CA cert part in correctly?

          So I deleted the CA cert I created so now I'm seeing this again:
          586d2703-c991-45ee-a716-846d6fcf5e44-image.png

          When in the cert manager, What specifically should I be doing or creating? I just created any CA cert there. But I did see a notice "This CA is used to validate the LDAP server certificate when 'SSL/TLS Encrypted' or 'STARTTLS Encrypted' Transport is active. This CA must match the CA used by the LDAP server."
          So I'm not quite sure what to do?

          I know the google cert is imported properly in the cert manager.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            What pfSense version is that?

            I expect to see an option there for 'Global Root CA List'

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              chemdream @stephenw10
              last edited by

              @stephenw10 22.01-RELEASE (amd64)
              That what it says if there's no CA certs. Once I add one, it displays "Global Root CA List".
              But there were no CA certs by default when I booted the system up.

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Ah! Hmm, that seems like a bug.

                Well it should be set to that because Google use a real CA to sign their cert.

                Steve

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  chemdream @stephenw10
                  last edited by

                  @stephenw10 Possibly I imported Google's cert incorrectly? It's in the "Certificates" area, not the CA area.

                  674b07ff-7ae1-4ac8-9ff5-082fdef9cbdc-image.png

                  As you can see "CA: No" is part of it? Not sure if that matters.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Right, that's expected because it's not a CA. You don't need to import a CA cert for that because Google use a CA that should already be in the Global Root CA List.

                    pfSense should be able to verify the server cert using one of the root CA certs it already has.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      chemdream
                      last edited by

                      Thanks to Netgate support.

                      To close this loop, it was this bug:
                      https://redmine.pfsense.org/issues/11626

                      For now, an stunnel is required.

                      It should be fixed in 22.09.

                      Thanks again!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.