LDAP authentication; some users work, some don't
-
If you are using plain TCP for LDAP, running a packet capture of the LDAP query and looking at it in wireshark will tell you all you need to know.
-
If you are using plain TCP for LDAP, running a packet capture of the LDAP query and looking at it in wireshark will tell you all you need to know.
Using UDP.
-
For pfSense auth it's either plain TCP or SSL (still TCP). There is no option for LDAP to run UDP. The selector in the auth server settings only has two choices, TCP on port 389, or SSL on port 636.
-
For pfSense auth it's either plain TCP or SSL (still TCP). There is no option for LDAP to run UDP. The selector in the auth server settings only has two choices, TCP on port 389, or SSL on port 636.
My mistake, I was looking at the protocol value on the openVPN config page. Yes I'm using TCP 389. I'm reviewing the capture in wireshark now.
-
From the packet capture viewed in wireshark, I do see this error after searchRequest "<root>" wholeSubtree.
LDAP 176 searchResDone(2) noSuchObject (0000208D: NameErr: DSID-031001A8, problem 2001 (NO_OBJECT), data 0, best match of:
''
) [0 results]Does this just mean, user not found in the root DN?</root>
-
If that was the server responding, that would appear to be the case.
-
If that was the server responding, that would appear to be the case.
I would agree, but there are successful sendRequests that follow.
Got a bit further now:
When I originally configured LDAP authentication, I used http://www.geeklk.com/2014/03/pfsense-configuring-windows-active-directory-authentication/ as a guide.
I created an OU and user in AD just like the guide.
As a test, I changed the bind credentials in LDAP server to an existing user in AD and now the extended query is working correctly.
-
It appears the pfsense user has to be a member of Domain admins or Administrators for it to work properly. Does this have something to do with how SBS Domains are configured?
I don't really want to have that user part of such a high level security group, but I'm unable to get it working correctly otherwise.
-
That's entirely up to the Windows box and what it allows with Anonymous binds vs binds with a service account. You might be able to find some other info on the net about that unrelated to pfSense (since it's a general Windows LDAP issue, not a pfSense issue)
-
That's entirely up to the Windows box and what it allows with Anonymous binds vs binds with a service account. You might be able to find some other info on the net about that unrelated to pfSense (since it's a general Windows LDAP issue, not a pfSense issue)
I agree this has to do with my own server configuration and nothing to do with pfsense LDAP implementation.
Thank you for your responses.