Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP (MS AD) error- Could not connect to server.

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 2 Posters 1.6k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      swinster
      last edited by swinster

      Something interesting. Running ldapsearch from the command line results in an error with mismatched library files:

      ldapsearch -H ldap://dc.mydomain.local:389 -D "CN=LDAP User,CN=Users,DC=mydomain,DC=local" -w "xxxx" -b "OU=Users,OU=MyBusiness,DC=mydomain,DC=local" "(sAMAccountName=me)"  
      
      ldap_int_sasl_init: SASL library version mismatch: expected 2.1.28, got 2.1.27
      ldapsearch: ldap_get_option(API_INFO) failed
      
      

      I am not entirely sure how to resolve this.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Hmm, 2.1.28 is the pfSense 2.7 (dev) version of that lib.

        Make sure your update branch is set to latest stable.

        Try running at the command line: pkg info cyrus-sasl
        That should show you what you have currently.

        Steve

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          swinster @stephenw10
          last edited by swinster

          @stephenw10 said in LDAP (MS AD) error- Could not connect to server.:

          Hmm, 2.1.28 is the pfSense 2.7 (dev) version of that lib.

          Make sure your update branch is set to latest stable.

          Try running at the command line: pkg info cyrus-sasl
          That should show you what you have currently.

          Steve

          OK, that makes some sense. I believe I upgraded to the dev branch to see if there was a change in another issue, then immediately downgraded back to the stable branch. I guess this package was downgraded, however, a reference was left unaltered?

          The result of that package info is:

          cyrus-sasl-2.1.27_2
          Name           : cyrus-sasl
          Version        : 2.1.27_2
          Installed on   : Wed Feb 16 20:47:45 2022 GMT
          Origin         : security/cyrus-sasl2
          Architecture   : FreeBSD:12:amd64
          Prefix         : /usr/local
          Categories     : security
          Licenses       : BSD4CLAUSE
          Maintainer     : ume@FreeBSD.org
          WWW            : https://www.cyrusimap.org/sasl/
          Comment        : RFC 2222 SASL (Simple Authentication and Security Layer)
          Options        :
                  ALWAYSTRUE     : off
                  ANONYMOUS      : on
                  AUTHDAEMOND    : on
                  BDB            : off
                  BDB1           : on
                  CRAM           : on
                  DIGEST         : on
                  DOCS           : off
                  GDBM           : off
                  KEEP_DB_OPEN   : off
                  LMDB           : off
                  LOGIN          : on
                  NTLM           : on
                  OBSOLETE_CRAM_ATTR: on
                  OBSOLETE_DIGEST_ATTR: on
                  OTP            : on
                  PLAIN          : on
                  SCRAM          : on
          Shared Libs provided:
                  libscram.so.3
                  libsasldb.so.3
                  libsasl2.so.3
                  libplain.so.3
                  libotp.so.3
                  libntlm.so.3
                  liblogin.so.3
                  libdigestmd5.so.3
                  libcrammd5.so.3
                  libanonymous.so.3
          Annotations    :
                  FreeBSD_version: 1203500
                  build_timestamp: 2022-01-12T15:23:42+0000
                  built_by       : poudriere-git-3.3.99.20211130
                  cpe            : cpe:2.3:a:cmu:cyrus-sasl:2.1.27:::::freebsd12:x64:2
                  port_checkout_unclean: no
                  port_git_hash  : 17b54ce76328
                  ports_top_checkout_unclean: yes
                  ports_top_git_hash: 7046b65c0d41
                  repo_type      : binary
                  repository     : pfSense
          Flat size      : 1.29MiB
          Description    :
          The Cyrus SASL (Simple Authentication and Security Layer)
          
          SASL is the Simple Authentication and Security Layer, a method
          for adding authentication support to connection-based protocols.
          To use SASL, a protocol includes a command for identifying and
          authenticating a user to a server and for optionally negotiating
          protection of subsequent protocol interactions. If its use is
          negotiated, a security layer is inserted between the protocol
          and the connection.
          
          WWW: https://www.cyrusimap.org/sasl/
          
          S 1 Reply Last reply Reply Quote 0
          • S Offline
            swinster @swinster
            last edited by

            This is how things are currently:

            fdf585fa-f8c3-4187-a939-8706a7eaf99b-image.png

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Hmm, how did you downgrade? That's not something you can normally do. Especially between 2.7 and 2.6 because of the FreeBSD base change.

              Something on your system has pulled in a newer version. At this point it's hard to say what might be broken. Is this a firewall you can reinstall clean and restore the config to? I would do that if you can to be sure it's cleanly on 2.6.

              Steve

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                swinster @stephenw10
                last edited by

                @stephenw10 - I simply switched the branch from dev back to stable :)

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  swinster @swinster
                  last edited by

                  TBH, I don't mind running on a dev branch. I have only had one major problem previously with pfsense, although that was some time ago.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Bare in mind that CE snapshots built on FreeBSD 14 were only made public yesterday. There are known issues there currently and no doubt unknown issues too. I would not recommend anyone use the dev branch for anything but testing for a while yet.

                    Steve

                    S 1 Reply Last reply Reply Quote 1
                    • S Offline
                      swinster @stephenw10
                      last edited by

                      @stephenw10 no worries. As far as I'm concerned, there is nothing to lose here. If I am going to re-flash the pfSense box with 2.6, then I thought I might as well attempt the update to 2.7.x first and test what's there. This is only a small private network and software/network support is my thing, so no loss either way.

                      FWIW, the upgrade to 2.7 was not super smooth. The update was effective but during the initial reboot, the system did not come back online automatically. After powering down the box and rebooting, the system came up as expected. Whilst this is outside the scope of this thread, if there are any logs or feedback I can provide, please let me know.

                      On the plus side, the LDAP connection is now functional again :).

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Hmm, interesting. The upgrade log is retained in /conf. It may show something, though if it was at the reboot it may not have been logging at that point.

                        Steve

                        S 1 Reply Last reply Reply Quote 0
                        • S Offline
                          swinster @stephenw10
                          last edited by

                          @stephenw10 said in LDAP (MS AD) error- Could not connect to server.:

                          /conf

                          FYI, I have included the upgrade_log.latest.txt file below. FWIW, upgrade_log.txt was updated just now when I logged in (I guess due to the auto-refresh on the dashboard), which contained only :

                          >>> Updating repositories metadata... done.
                          Your system is up to date
                          

                          The upgrade_log.latest.txt file contains several Warnings, mainly relating to array manipulations within Command.php and Role.php, followed by a failure notification:

                          XML Extension not found
                          pkg-static: POST-INSTALL script failed
                          

                          At the very end of the log file, some fatal errors have been logged, although this seems to relate to the Squid package.

                          Fatal error: Array and string offset access syntax with curly braces is no longer supported in /usr/local/pkg/squid.inc on line 852
                          PHP ERROR: Type: 64, File: /usr/local/pkg/squid.inc, Line: 852, Message: Array and string offset access syntax with curly braces is no longer supportedpkg-static: DEINSTALL script failed
                          pkg-static: Fail to kill all processes:No such process
                          

                          upgrade_log.latest.txt

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            Ah, yes the Squid package has probably not yet been adapted to php 8.1. I would expect it to throw errors like that until it's updated.

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.