LDAP (MS AD) error- Could not connect to server.
-
Something interesting. Running
ldapsearchfrom the command line results in an error with mismatched library files:ldapsearch -H ldap://dc.mydomain.local:389 -D "CN=LDAP User,CN=Users,DC=mydomain,DC=local" -w "xxxx" -b "OU=Users,OU=MyBusiness,DC=mydomain,DC=local" "(sAMAccountName=me)" ldap_int_sasl_init: SASL library version mismatch: expected 2.1.28, got 2.1.27 ldapsearch: ldap_get_option(API_INFO) failedI am not entirely sure how to resolve this.
-
Hmm, 2.1.28 is the pfSense 2.7 (dev) version of that lib.
Make sure your update branch is set to latest stable.
Try running at the command line:
pkg info cyrus-sasl
That should show you what you have currently.Steve
-
@stephenw10 said in LDAP (MS AD) error- Could not connect to server.:
Hmm, 2.1.28 is the pfSense 2.7 (dev) version of that lib.
Make sure your update branch is set to latest stable.
Try running at the command line:
pkg info cyrus-sasl
That should show you what you have currently.Steve
OK, that makes some sense. I believe I upgraded to the dev branch to see if there was a change in another issue, then immediately downgraded back to the stable branch. I guess this package was downgraded, however, a reference was left unaltered?
The result of that package info is:
cyrus-sasl-2.1.27_2 Name : cyrus-sasl Version : 2.1.27_2 Installed on : Wed Feb 16 20:47:45 2022 GMT Origin : security/cyrus-sasl2 Architecture : FreeBSD:12:amd64 Prefix : /usr/local Categories : security Licenses : BSD4CLAUSE Maintainer : ume@FreeBSD.org WWW : https://www.cyrusimap.org/sasl/ Comment : RFC 2222 SASL (Simple Authentication and Security Layer) Options : ALWAYSTRUE : off ANONYMOUS : on AUTHDAEMOND : on BDB : off BDB1 : on CRAM : on DIGEST : on DOCS : off GDBM : off KEEP_DB_OPEN : off LMDB : off LOGIN : on NTLM : on OBSOLETE_CRAM_ATTR: on OBSOLETE_DIGEST_ATTR: on OTP : on PLAIN : on SCRAM : on Shared Libs provided: libscram.so.3 libsasldb.so.3 libsasl2.so.3 libplain.so.3 libotp.so.3 libntlm.so.3 liblogin.so.3 libdigestmd5.so.3 libcrammd5.so.3 libanonymous.so.3 Annotations : FreeBSD_version: 1203500 build_timestamp: 2022-01-12T15:23:42+0000 built_by : poudriere-git-3.3.99.20211130 cpe : cpe:2.3:a:cmu:cyrus-sasl:2.1.27:::::freebsd12:x64:2 port_checkout_unclean: no port_git_hash : 17b54ce76328 ports_top_checkout_unclean: yes ports_top_git_hash: 7046b65c0d41 repo_type : binary repository : pfSense Flat size : 1.29MiB Description : The Cyrus SASL (Simple Authentication and Security Layer) SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection. WWW: https://www.cyrusimap.org/sasl/ -
This is how things are currently:
-
Hmm, how did you downgrade? That's not something you can normally do. Especially between 2.7 and 2.6 because of the FreeBSD base change.
Something on your system has pulled in a newer version. At this point it's hard to say what might be broken. Is this a firewall you can reinstall clean and restore the config to? I would do that if you can to be sure it's cleanly on 2.6.
Steve
-
@stephenw10 - I simply switched the branch from dev back to stable :)
-
TBH, I don't mind running on a dev branch. I have only had one major problem previously with pfsense, although that was some time ago.
-
Bare in mind that CE snapshots built on FreeBSD 14 were only made public yesterday. There are known issues there currently and no doubt unknown issues too. I would not recommend anyone use the dev branch for anything but testing for a while yet.
Steve
-
@stephenw10 no worries. As far as I'm concerned, there is nothing to lose here. If I am going to re-flash the pfSense box with 2.6, then I thought I might as well attempt the update to 2.7.x first and test what's there. This is only a small private network and software/network support is my thing, so no loss either way.
FWIW, the upgrade to 2.7 was not super smooth. The update was effective but during the initial reboot, the system did not come back online automatically. After powering down the box and rebooting, the system came up as expected. Whilst this is outside the scope of this thread, if there are any logs or feedback I can provide, please let me know.
On the plus side, the LDAP connection is now functional again :).
-
Hmm, interesting. The upgrade log is retained in /conf. It may show something, though if it was at the reboot it may not have been logging at that point.
Steve
-
@stephenw10 said in LDAP (MS AD) error- Could not connect to server.:
/conf
FYI, I have included the
upgrade_log.latest.txtfile below. FWIW,upgrade_log.txtwas updated just now when I logged in (I guess due to the auto-refresh on the dashboard), which contained only :>>> Updating repositories metadata... done. Your system is up to dateThe
upgrade_log.latest.txtfile contains several Warnings, mainly relating to array manipulations withinCommand.phpandRole.php, followed by a failure notification:XML Extension not found pkg-static: POST-INSTALL script failedAt the very end of the log file, some fatal errors have been logged, although this seems to relate to the Squid package.
Fatal error: Array and string offset access syntax with curly braces is no longer supported in /usr/local/pkg/squid.inc on line 852 PHP ERROR: Type: 64, File: /usr/local/pkg/squid.inc, Line: 852, Message: Array and string offset access syntax with curly braces is no longer supportedpkg-static: DEINSTALL script failed pkg-static: Fail to kill all processes:No such process -
Ah, yes the Squid package has probably not yet been adapted to php 8.1. I would expect it to throw errors like that until it's updated.
