LDAPS 636 problems with pfsense
-
@Paolo-Scagnetti Did you restart PHP after changing to LDAPS?
-
@mcury Yes, i have restarted the entire firewall, i have tried everything...
any idea?
I configured:
LDAP
636
SSL\TLS Encryptedi set the hostname and hostname.domain.local same error.
if i try lpd.exe bind ok, also openssh by pfsense -
The CN of the CA matches the hostname you are using to connect?
Is the DNS resolving the hostname to the correct IP?
What about the bind credentials, confirmed working? -
@mcury
Yes DNS work perfectly i have also insert the override in dns forwarder.
I have tried with ldp.exe and bind works perfectly.The CN of the CA is different from the Server DC hostname.
CA Cn: domain-SRV-DC-CA
DC hostname: srv-dc.domain.local -
@Paolo-Scagnetti said in LDAPS 636 problems with pfsense:
The CN of the CA is different from the Server DC hostname.
If it not the CN, must be a SAN, or it won't work.
NOTE: When using SSL/TLS or STARTTLS, this hostname MUST match a Subject Alternative Name (SAN) or the Common Name (CN) of the LDAP server SSL/TLS Certificate.
-
@mcury
Ok I need to recreate the CA certificate with the SAN of the domain controller extended correct ?
Thanks !!
1 hour and I will try -
Hi,
I have reconfigured CA with CN and SAN of my srv-dc.dominio.local
Same error connection OK bind Failed
I have imported thx .pfx of the server certificate and the CA.
It's only needed the CA?Thanks, Paolo
-
@Paolo-Scagnetti said in LDAPS 636 problems with pfsense:
It's only needed the CA?
Yes, only the CA is needed.
Try to disable LDAPS for a moment, just to see if the bind will work.
I'm using LDAPS in pfSense and it is working perfectly.Connecting to a samba domain.
-
@mcury
I changed back to 389 and same problem now, BIND failed connection ok.
I have configured 60-70 pfsense without any problem in LDAPS
I have windows serevr 2025 and also disable LDAP required signing. -
@mcury THANK YOU SO MUCH FOR THIS, it solved my issue.
-
I can verify that a (public) wildcard cert does not work, the specific hostname must be present in the certificate. I think this is not really well documented, because i struggled with debugging this a few yahren ago myself.