Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP Authentication with Active Directory Windows Server 2025, bind fails

    General pfSense Questions
    2
    5
    672
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LaxarusL
      Laxarus
      last edited by

      Hello,
      Can anyone confirm that LDAP authentication works with Active Directory of Windows Server 2025 ? I can access and use the LDAP on all of my other services like proxmox etc but pfsense refuses to bind.

      pfsense can ping the windows server and there is no firewall rule restrictions.

      Current Settings below:

      host: 192.168.1.32
Port: 389
Transport: Standard TCP
Peer Certificate Authority : Global Root CA list
Client Certificate: None
Protocol version: 3
Server Timeout: 25
Search scope Level: Entire Subtree
Base DN: DC=ad,DC=my,DC=org
Authentication containers: OU=den;CN=Users;DC=ad,DC=my,DC=org
Extended query: Disabled
Bind anonymous: Disabled
Bind credentials: CN=administrator,CN=Users
User naming attribute: samAccountName
Group naming attribute: cn
Group member attribute: memberOf
RFC 2307 Groups: Disabled
Group Object Class: posixGroup
Shell Authentication Group DN:
UTF8 Encode: Disabled
Username Alterations: Disabled
Allow unauthenticated bind: Disabled

      Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: ERROR! Could not bind to LDAP server AD. Please check the bind credentials.
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: LDAP connection error flag: false
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Group Filter:
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Filter: (samaccountname=Administrator)
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Extended Query:
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Attrs: Name: samaccountname / Group: memberOf
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Container: OU=den;CN=Users;DC=ad,DC=my,DC=org
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Auth Bind DN: CN=administrator,CN=Users,DC=ad,DC=my,DC=org
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Scope: subtree
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Base DN: DC=ad,DC=my,DC=org
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: URI: ldap://192.168.1.32:389 (v3)
Apr 17 02:56:16 	php-fpm 	307 	/diag_authentication.php: LDAP Debug: Attempting to authenticate Administrator on AD
      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It probably requires an encrypted connection, so STARTLTLS or LDAPS. See:
        https://docs.netgate.com/pfsense/en/latest/usermanager/ldap.html#adding-an-ldap-server

        Steve

        LaxarusL 1 Reply Last reply Reply Quote 1
        • LaxarusL
          Laxarus
          last edited by Laxarus

          After a sleepless night with lots of troubleshooting, I managed to fix the issue. Anyone who came across this can try the below.

          Apparently for some reason pfsense and DC fails to negotiate a proper signing requirements.
          I noticed this after inspecting the packet captures which gives me an "unknown CA" error when trying to use SSL.

          After modifying the Domain Controller Policy like below, it works now both with SSL disabled and enabled.

          Domain Controller Policy
          ===Computer Configuration
          ======Policies
          =========Windows Settings
          ============Security Settings
          ===============Local Policies
          ==================Security Options
          =====================Domain controller: LDAP server channel binding token requirements: "When Supported"
          =====================Domain controller: LDAP server signing requirements: "None"
          =====================Domain controller: LDAP server Enforce signing requirements: "Disabled"
          =====================Network security: LDAP client encryption requirements: "Negotiate Sealing"
          =====================Network security: LDAP client signing requirements: "Negotiate Signing"

          1 Reply Last reply Reply Quote 0
          • LaxarusL
            Laxarus @stephenw10
            last edited by

            @stephenw10 Thanks for the input and you were very close but even after setting the SSL with proper certs, I was not getting it through without the above mentioned DC settings.

            1 Reply Last reply Reply Quote 0
            • LaxarusL
              Laxarus
              last edited by Laxarus

              An update after further testing, details below:
              After getting the unencrypted TCP working reliably, I wanted to verify the SSL with LDAPS and noticed that the SSL auth was randomly failing with the same bind error. I could not fix this one no matter what I tried and eventually it started failing all the LDAPS binds.
              Everything works fine with LDP and Apache Directory Studio but for some reason pfSense just does not want to work with SSL.
              I use LE certs on my server and in theory the LE CA should work since it is working in every other application like LDP and Apache Directory Studio.
              The only major change to pfsense was the updated OpenSSL package. Might it be possible that this is the reason? If anyone can confirm that I would be happy to open a bug report but I don't want to waste anyone's time over there if this is a configuration mistake on my part.
              Packet capture shows TLS 1.3 auth

              1 Reply Last reply Reply Quote 0
              • First post
                Last post