Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAPs AD bind

    Scheduled Pinned Locked Moved General pfSense Questions
    27 Posts 8 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rb_it_pf
      last edited by

      I am getting the following output in CLI
      sh: setenv: not found

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Oh, you are probably running the command via the WebGUI Command Line option, in which case do this:

        export LDAPTLS_REQCERT=allow; ldapsearch -v -H "ldaps://dc1.local:636"  -b "dc=local" -s sub -D "username@local" -w "password"
        

        –A.

        1 Reply Last reply Reply Quote 0
        • R
          rb_it_pf
          last edited by rb_it_pf

          Thanks. I plugged the following into the WebGUI CLI and obtained the following:

          export LDAPTLS_REQCERT=allow; ldapsearch -v -h DC1.local:636 -s base -x "namingContexts"

          ldap_initialize( ldap://DC1.local:636 )
          ldap_result: Can't contact LDAP server (-1)

          I also got the same result plugging the IP in place of the hostname.

          On the domain controller, I filtered my security logs for 4625 and 4624 event IDs with no results.

          Thanks.

          awebsterA 1 Reply Last reply Reply Quote 0
          • R
            rb_it_pf
            last edited by

            I did see an event log on the DC with an event ID of 2085.

            "Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client."

            Under 'Additional Data'
            "Error value
            2148074289 The client and server cannot communicate, because they do not possess a common algorithm. Internal ID: c05088d

            1 Reply Last reply Reply Quote 0
            • awebsterA
              awebster @rb_it_pf
              last edited by

              @rb_it_pf The command isn't correct, you cannot use -h host -p 636, as simply selecting a different port won't make ldapsearch use SSL, I know, its silly, but you really need to use -H "ldaps://host:636".

              –A.

              1 Reply Last reply Reply Quote 0
              • R
                rb_it_pf
                last edited by

                The command worked and outputted the DN.
                I tried the other command that connects to the LDAP server and it worked as well. In fact i was able to see outputs for users that belong to the DC LDAP group.

                I still can't seem to search on the containers or successfully bind using the GUI though.

                Any thoughts?

                1 Reply Last reply Reply Quote 0
                • R
                  rb_it_pf
                  last edited by rb_it_pf

                  Solved. I had to restart the PHP-FPM in order for the SSL Transport type to take affect. I remember hearing about this in a Netgate video on LDAP but didn't think much of it at the time. Restarting PHP-FPM fixed it. I really appreciate your help troubleshooting with the CLI.
                  Regards.

                  T 1 Reply Last reply Reply Quote 0
                  • awebsterA
                    awebster
                    last edited by

                    Happy to help, and glad you figured it out!

                    –A.

                    stephenw10S 1 Reply Last reply Reply Quote 3
                    • stephenw10S
                      stephenw10 Netgate Administrator @awebster
                      last edited by stephenw10

                      @awebster said in LDAPs AD bind:

                      Happy to help, and glad you figured it out!

                      This user deserves your upvote. 👍

                      Steve

                      1 Reply Last reply Reply Quote 1
                      • R
                        rmonette
                        last edited by

                        I have similar issues, and in the end, Im not sure what the resolution was... I tested this:
                        export LDAPTLS_REQCERT=allow; ldapsearch -v -H "ldaps://IPADDRESS:636" -b "dc=XX,dc=YY,dc=com" -s sub -D "user@domain.com" -w "pwd" (with the proper values inserted of course)
                        from the Pf web CLI and I got a lot of output which seemed to indicate that the firewall was able to connect to my DC. I think part of my issue is that the CA cert from the DC does not have an IP in the SAN section, and/or that the Pf cant seem to associate the CA cert CN to an IP, which would make me think the issue is DNS resolution.
                        Any suggestions on the next move?

                        1 Reply Last reply Reply Quote 0
                        • R
                          rb_it_pf
                          last edited by rb_it_pf

                          In pfSense, are you defining your server by hostname or IP. If by hostname, you might need to add a host override. I did this under the DNS resolver settings.

                          I performed the PHP-FPM restart from the console, not from within the web GUI.

                          1 Reply Last reply Reply Quote 0
                          • T
                            tnacnud1 @rb_it_pf
                            last edited by

                            @rb_it_pf Thank you so much! I have been wasting away hours/days trying to figure out why LDAPS would not work. Literally running option 16 in the console resolved the issue. Someone should really put this in the documentation. I can't believe that's all I needed to do. You are a life saver!

                            C 1 Reply Last reply Reply Quote 0
                            • C
                              ciroque @tnacnud1
                              last edited by

                              @tnacnud1

                              OMG THANK YOU THANK YOU THANK YOU

                              I have been fiddling around with this for three days!

                              1 Reply Last reply Reply Quote 0
                              • S
                                sunchar
                                last edited by

                                Hi guys!

                                It's been a lot since the last response to this.
                                After updating to 2.7.2, can't get to make work ldaps again (updated from 2.7.0).

                                By running this commands:

                                setenv LDAPTLS_REQCERT allow
                                ldapsearch -v -H "ldaps://dc1.local:636"  -b "dc=local" -s sub -D "username@local" -w "password"
                                

                                seems to work because it shows so much information about my directory.
                                But it does not work when trying to authenticate on GUI. I have restart PHP-FPM so many times with no success.

                                Please advice.

                                Thank you!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.