• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LDAPs AD bind

Scheduled Pinned Locked Moved General pfSense Questions
27 Posts 8 Posters 7.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rb_it_pf
    last edited by Aug 29, 2019, 5:07 PM

    Another thing I should mention is that the pfSense WAN is actually the same network that DC is on. I am testing things so I am technically double NATed. Not sure if that is making any difference here. WAN rules are deny all.

    1 Reply Last reply Reply Quote 0
    • A
      awebster
      last edited by Aug 29, 2019, 5:15 PM

      That's normal, it's due to openssl not recognizing the issuing CA, but it does prove that the server is accepting LDAPS connections.
      However, I'm assuming it is still not working, so you might need to dig a bit deeper, you can go look at DC1's event viewer security log.
      Look for event-id 4624 (success) and 4625 (failure) to see if you can see what's going on.
      Note that if the user doing the bind doesn't exist in AD, nothing is logged.

      You can also try the following from the CLI to prove to yourself that the server is actually working as expected.

      setenv LDAPTLS_REQCERT allow
      ldapsearch -v -H "ldaps://dc1.local:636"  -b "dc=local" -s sub -D "username@local" -w "password"
      

      If it works, it'll output the contents of your AD.

      If you don't know what your Base DN is (input to -b parameter above), you can use this to find it out - [Hint to pfSense dev's this would be a useful feature to add to automatically populate the naming context for the LDAP server config page.]

      ldapsearch -v -h hostname_or_ip -s base -x  "namingContexts"
      

      For AD, it will output several naming contexts, ignore the following:
      CN=Configuration,DC=...
      CN=Schema,DC=...
      DC=ForestDnsZones,DC=...
      DC=DomainDnsZones,DC=...
      The one left over will be the DC=... part that's what you want to use as your base DN.

      –A.

      1 Reply Last reply Reply Quote 1
      • R
        rb_it_pf
        last edited by Aug 29, 2019, 5:40 PM

        I am getting the following output in CLI
        sh: setenv: not found

        1 Reply Last reply Reply Quote 0
        • A
          awebster
          last edited by Aug 29, 2019, 6:00 PM

          Oh, you are probably running the command via the WebGUI Command Line option, in which case do this:

          export LDAPTLS_REQCERT=allow; ldapsearch -v -H "ldaps://dc1.local:636"  -b "dc=local" -s sub -D "username@local" -w "password"
          

          –A.

          1 Reply Last reply Reply Quote 0
          • R
            rb_it_pf
            last edited by rb_it_pf Aug 29, 2019, 6:20 PM Aug 29, 2019, 6:07 PM

            Thanks. I plugged the following into the WebGUI CLI and obtained the following:

            export LDAPTLS_REQCERT=allow; ldapsearch -v -h DC1.local:636 -s base -x "namingContexts"

            ldap_initialize( ldap://DC1.local:636 )
            ldap_result: Can't contact LDAP server (-1)

            I also got the same result plugging the IP in place of the hostname.

            On the domain controller, I filtered my security logs for 4625 and 4624 event IDs with no results.

            Thanks.

            A 1 Reply Last reply Aug 29, 2019, 7:39 PM Reply Quote 0
            • R
              rb_it_pf
              last edited by Aug 29, 2019, 7:15 PM

              I did see an event log on the DC with an event ID of 2085.

              "Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client."

              Under 'Additional Data'
              "Error value
              2148074289 The client and server cannot communicate, because they do not possess a common algorithm. Internal ID: c05088d

              1 Reply Last reply Reply Quote 0
              • A
                awebster @rb_it_pf
                last edited by Aug 29, 2019, 7:39 PM

                @rb_it_pf The command isn't correct, you cannot use -h host -p 636, as simply selecting a different port won't make ldapsearch use SSL, I know, its silly, but you really need to use -H "ldaps://host:636".

                –A.

                1 Reply Last reply Reply Quote 0
                • R
                  rb_it_pf
                  last edited by Aug 29, 2019, 10:22 PM

                  The command worked and outputted the DN.
                  I tried the other command that connects to the LDAP server and it worked as well. In fact i was able to see outputs for users that belong to the DC LDAP group.

                  I still can't seem to search on the containers or successfully bind using the GUI though.

                  Any thoughts?

                  1 Reply Last reply Reply Quote 0
                  • R
                    rb_it_pf
                    last edited by rb_it_pf Aug 29, 2019, 11:03 PM Aug 29, 2019, 10:48 PM

                    Solved. I had to restart the PHP-FPM in order for the SSL Transport type to take affect. I remember hearing about this in a Netgate video on LDAP but didn't think much of it at the time. Restarting PHP-FPM fixed it. I really appreciate your help troubleshooting with the CLI.
                    Regards.

                    T 1 Reply Last reply Oct 22, 2020, 1:45 PM Reply Quote 0
                    • A
                      awebster
                      last edited by Aug 30, 2019, 12:54 PM

                      Happy to help, and glad you figured it out!

                      –A.

                      S 1 Reply Last reply Aug 30, 2019, 2:02 PM Reply Quote 3
                      • S
                        stephenw10 Netgate Administrator @awebster
                        last edited by stephenw10 Aug 30, 2019, 2:03 PM Aug 30, 2019, 2:02 PM

                        @awebster said in LDAPs AD bind:

                        Happy to help, and glad you figured it out!

                        This user deserves your upvote. 👍

                        Steve

                        1 Reply Last reply Reply Quote 1
                        • R
                          rmonette
                          last edited by Sep 24, 2019, 5:27 PM

                          I have similar issues, and in the end, Im not sure what the resolution was... I tested this:
                          export LDAPTLS_REQCERT=allow; ldapsearch -v -H "ldaps://IPADDRESS:636" -b "dc=XX,dc=YY,dc=com" -s sub -D "user@domain.com" -w "pwd" (with the proper values inserted of course)
                          from the Pf web CLI and I got a lot of output which seemed to indicate that the firewall was able to connect to my DC. I think part of my issue is that the CA cert from the DC does not have an IP in the SAN section, and/or that the Pf cant seem to associate the CA cert CN to an IP, which would make me think the issue is DNS resolution.
                          Any suggestions on the next move?

                          1 Reply Last reply Reply Quote 0
                          • R
                            rb_it_pf
                            last edited by rb_it_pf Sep 24, 2019, 5:51 PM Sep 24, 2019, 5:50 PM

                            In pfSense, are you defining your server by hostname or IP. If by hostname, you might need to add a host override. I did this under the DNS resolver settings.

                            I performed the PHP-FPM restart from the console, not from within the web GUI.

                            1 Reply Last reply Reply Quote 0
                            • T
                              tnacnud1 @rb_it_pf
                              last edited by Oct 22, 2020, 1:45 PM

                              @rb_it_pf Thank you so much! I have been wasting away hours/days trying to figure out why LDAPS would not work. Literally running option 16 in the console resolved the issue. Someone should really put this in the documentation. I can't believe that's all I needed to do. You are a life saver!

                              C 1 Reply Last reply Jan 30, 2021, 10:18 PM Reply Quote 0
                              • C
                                ciroque @tnacnud1
                                last edited by Jan 30, 2021, 10:18 PM

                                @tnacnud1

                                OMG THANK YOU THANK YOU THANK YOU

                                I have been fiddling around with this for three days!

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sunchar
                                  last edited by Jul 11, 2024, 5:23 AM

                                  Hi guys!

                                  It's been a lot since the last response to this.
                                  After updating to 2.7.2, can't get to make work ldaps again (updated from 2.7.0).

                                  By running this commands:

                                  setenv LDAPTLS_REQCERT allow
                                  ldapsearch -v -H "ldaps://dc1.local:636"  -b "dc=local" -s sub -D "username@local" -w "password"
                                  

                                  seems to work because it shows so much information about my directory.
                                  But it does not work when trying to authenticate on GUI. I have restart PHP-FPM so many times with no success.

                                  Please advice.

                                  Thank you!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                    This community forum collects and processes your personal information.
                                    consent.not_received