[solved] 2.4 broke LDAP against Mac OS Server

SpaceBass · Aug 28, 2017, 11:04 PM

What do the logs on the OS X Server show? When pfSense is making its queries, are they being received? Do they fail?

nada…zip ... they don't show a thing :/
if I do a tcpdump port 636 I can see the traffic hitting the Mac OS box.

but the plot thickens.

If I change to STARTLS I get the following "error"? at the top of the PF page:

Warning: ldap_start_tls(): Unable to start TLS: Connect error in /etc/inc/auth.inc on line 1342 Call Stack: 0.0001 233640 1\. {main}() /usr/local/www/diag_authentication.php:0 0.0580 1633400 2\. authenticate_user() /usr/local/www/diag_authentication.php:47 0.0581 1633640 3\. ldap_backed() /etc/inc/auth.inc:1748 0.0593 1635256 4\. ldap_start_tls() /etc/inc/auth.inc:1342

Authentication still fails.

If I change to TCP (no encryption) it works. (Which I share was different than yesterday…but maybe the Hawthorne effect with tcpdump is real :) ... needless to say, I'd prefer not to drop SSL.

Derelict · Aug 28, 2017, 10:59 PM

Is your LDAP server configured for TCP - Standard (on port 389), TCP - STARTTLS (on port 389), or SSL (on port 636)??

SpaceBass · Aug 28, 2017, 11:13 PM

@Derelict:

Is your LDAP server configured for TCP - Standard (on port 389), TCP - STARTTLS (on port 389), or SSL (on port 636)??

it responds on both TCP and SSL. I prefer SSL obviously and it worked with SSL prior to the upgrade from 2.3.x to 2.4

and on multiple Ubuntu installs, this line in ldap.conf is sufficient (along with the base)

uri ldaps://server.foo.bar
```with the server's commercial cert I don't even have to load the CA on the ubuntu boxes.

Derelict · Aug 28, 2017, 11:18 PM

OK. But that is not what I asked. I asked how you had it set.

SpaceBass · Aug 29, 2017, 12:34 AM

@Derelict:

OK. But that is not what I asked. I asked how you had it set.

Sorry, perhaps I didn't understand the question correctly. My bad!

The server itself is set to respond to TCP - Standard (on port 389) and SSL (on port 636)

In PF I have tried:

TCP - Standard (on port 389) Worked once - nice again
TCP - STARTTLS (on port 389) - does not work

[iii] SSL (on port 636) - does not work [/iii]

Derelict · Aug 29, 2017, 12:36 AM

And standard works and SSL does not?

SpaceBass · Aug 29, 2017, 1:05 AM

@Derelict:

And standard works and SSL does not?

Standard worked once. Once I try SSL and the error gets thrown, standard doesn't work again until I reboot PF or wait for something (?) to time out… EG it worked once today but not since.

One other note on my end - above I said it's Mac OS 10.11 which is incorrect. I'm running 10.12.5

Derelict · Aug 29, 2017, 2:07 AM

I am looking at this. I don't know if it is OS X Server or SSL/STARTTLS LDAP in general.

I do not see what you see.

Standard always works.

SSL fails with Authentication Failed

STARTTLS fails with Authentication failed and also throws this:

Warning: ldap_start_tls(): Unable to start TLS: Connect error in /etc/inc/auth.inc on line 1342 Call Stack: 0.0000 233808 1. {main}() /usr/local/www/diag_authentication.php:0 0.0244 1622264 2. authenticate_user() /usr/local/www/diag_authentication.php:47 0.0244 1622504 3. ldap_backed() /etc/inc/auth.inc:1748 0.0247 1624128 4. ldap_start_tls() /etc/inc/auth.inc:1342

I can change the Transport at will and the behavior is the same. No reboots or anything like that necessary.

There is an issue with certificate validation it seems. Perhaps something changed in openldap. Not sure yet.

2.4.0-RC (amd64)
built on Mon Aug 28 11:05:02 CDT 2017
FreeBSD 11.0-RELEASE-p12

GeoTrust RapidSSL Certificate

macOS Server 10.11.6

ETA: According to packet captures both SSL and STARTTLS are failing with TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

tim.mcmanus · Aug 29, 2017, 3:10 AM

You have to look also at the server version, 5.3 or 5.4, depending on the Mac OS version. There are also CLI commands to increase logging. man serveradmin is a good place to start.

SpaceBass · Aug 31, 2017, 12:52 AM

Hey friends!
Thanks to this forum and this Reddit thread: https://www.reddit.com/r/PFSENSE/comments/6wm2m1/24_broke_ldap_auth_against_mac_os_servers/
i've found success!

It turns out —not sure why this wasn't the case in 2.3.x —that the entire chain is needed for commercial certs to work.

I had tried concatenating them by hand and exporting them from Keychain Access but it didn't work.

This command, on the other hand, generated a complete chain that works for commercial certs on macOS

openssl s_client -host <fqdn> -port 443 -prexit -showcerts</fqdn>

This, of course, assumes ones web server uses the same cert and chain as the LDAP server, but in most OS X Server deployments, that's probably the case. If not, it'd be trivial to set up a web server using the LDAP cert and pull it this way. One might also simply change the port (although I didn't try it) to 636.

That spits out an entire chain of certs in the right order (which apparently matters) which one can past into a CA in PF's CA screen.

Hope this helps someone else!

Thanks everyone for the troubleshooting tips and help to get this far!

jimp · Aug 31, 2017, 1:59 PM

I pushed a fix yesterday to make it build the entire chain automatically.

Assuming you have all of the CA certs and intermediates imported, you can select the bottom intermediate as the LDAP CA and it will figure out the rest.