Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    google LDAP connection failed

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 5 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BossaOps @BossaOps
      last edited by

      @bossaops So, I think I've figured it out, I created the files in the shell, linked them as env variables.

      If you want to try, the command is this one (copy your certs into files):

      env LDAPTLS_CERT=goog.crt LDAPTLS_KEY=goog.key ldapsearch -ZZ -H ldaps://ldap.google.com:636 -b dc=yourdomain,dc=com '(mail=some.user@yourdomain.com)'
      
      

      and I get back this:

      ldap_start_tls: Can't contact LDAP server (-1)
              additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)
      

      So, for some reason pfsense is no longer happy with the cert, and I'm not sure where to import the CA...

      viktor_gV 1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate @BossaOps
        last edited by

        @bossaops Could you show cert info with openssl x509 -in goog.crt -text -noout ?
        You can redact your private cert info.

        B 2 Replies Last reply Reply Quote 0
        • B
          BossaOps @viktor_g
          last edited by BossaOps

          @viktor_g Nothing private, it's the client cert that you generate when creating an LDAP client in the google admin console.. easy enough to recreate if it's a seecurity issue.

           openssl x509 -in goog.crt -text -noout
          Certificate:
              Data:
                  Version: 3 (0x2)
                  Serial Number: 1566223926543 (0x16caa38850f)
                  Signature Algorithm: sha256WithRSAEncryption
                  Issuer: O = Google Inc., L = Mountain View, CN = LDAP Client, OU = GSuite, C = US, ST = California
                  Validity
                      Not Before: Aug 19 14:12:05 2019 GMT
                      Not After : Aug 18 14:12:05 2022 GMT
                  Subject: O = Google Inc., L = Mountain View, CN = LDAP Client, OU = GSuite, C = US, ST = California
                  Subject Public Key Info:
                      Public Key Algorithm: rsaEncryption
                          RSA Public-Key: (2048 bit)
                          Modulus:
                              00:a9:e5:6f:1b:b5:7e:66:8e:d0:27:b5:a1:25:11:
                              1f:66:6c:48:1e:e5:42:94:2b:12:e0:68:b5:95:5c:
                              f3:22:bd:1e:40:e7:31:d0:57:8d:68:96:ce:75:e0:
                              4a:ce:7b:7b:fe:09:73:bf:c4:00:4c:7a:53:98:f4:
                              6b:86:f7:aa:c3:2d:e9:8e:24:84:64:cc:74:11:96:
                              56:b9:6c:0b:e9:e5:47:be:70:0c:0d:68:94:62:e3:
                              23:97:44:4e:6b:5a:27:67:85:1e:8e:1f:d5:bc:ae:
                              0e:2f:8c:1f:69:f3:31:ba:90:05:57:a9:c8:02:ff:
                              d6:d4:00:21:60:5b:6d:2e:cb:ea:6f:d6:d2:e7:bd:
                              6a:f9:bb:c5:03:2d:df:5f:83:56:78:5d:7d:1d:22:
                              42:5d:93:ef:f6:b2:f2:d1:db:9f:21:0b:6e:7a:b6:
                              6a:47:aa:66:d3:2e:fb:1d:28:29:82:02:07:1e:3c:
                              85:17:11:bc:e9:fb:ef:84:78:da:be:37:e3:41:5a:
                              5c:58:86:5d:43:4a:40:1d:c1:83:83:2f:9f:78:88:
                              8f:8f:45:dd:ba:03:b2:9d:17:93:98:9a:3e:bd:cf:
                              3b:7b:e5:02:9d:bc:ec:b4:61:13:78:31:45:0e:1f:
                              e8:48:82:4c:af:dc:8e:86:ef:02:dd:f2:5c:62:34:
                              70:4f
                          Exponent: 65537 (0x10001)
              Signature Algorithm: sha256WithRSAEncryption
                   4f:a7:ea:60:ef:fb:94:ad:9b:3f:1c:5e:ec:fc:08:d8:8f:7b:
                   98:02:68:f3:a0:f1:af:f0:69:9a:c2:ef:cd:77:3c:46:68:3c:
                   e3:4e:81:f8:06:41:d8:3b:24:30:dc:2f:cc:cb:e2:86:1f:7f:
                   8c:07:1a:89:29:b3:f5:6a:5b:29:7d:5f:3f:89:ef:c5:4d:05:
                   53:93:c9:2e:38:69:81:ef:76:14:cb:97:29:a3:ce:8b:c9:fe:
                   ab:06:b5:df:a3:de:e8:a2:63:66:70:8b:7f:2c:67:af:4c:f6:
                   f8:b4:a5:ec:d9:db:2b:a2:d0:4e:10:c4:38:c9:e2:bf:6b:19:
                   40:10:58:b6:cc:d2:24:e3:2c:1b:e9:cf:a4:6e:72:3d:c7:14:
                   29:a6:59:84:0d:a8:5b:dc:d7:2f:20:96:77:e2:56:2c:7d:95:
                   6a:dc:c3:d0:4c:af:0f:1d:2b:8f:0b:ba:68:aa:6c:35:b9:cd:
                   9a:d5:70:c8:19:62:01:59:fa:30:a1:bd:01:9a:8d:d8:f1:a4:
                   ca:16:8c:22:96:58:eb:62:ac:55:92:97:cf:c9:de:67:4f:3b:
                   c7:40:14:20:48:b1:e0:c8:fc:ad:4c:d4:8e:47:b8:da:3c:1b:
                   05:3a:f1:34:97:b9:d2:36:0e:bf:2d:8d:1f:d6:45:70:88:8d:
                   dd:e6:29:56
          
          
          1 Reply Last reply Reply Quote 0
          • B
            BossaOps @viktor_g
            last edited by BossaOps

            @viktor_g So, one thing I'm wondering about is if the LDAP code in pfsense is compiled without SNI, as google specifically says :

            OpenSSL client/library does not support SNI (Server Name Indication)
            
            During the connectivity test, the following output might be returned:
            
            Verify return code: 18 (self signed certificate)
            
            The Secure LDAP service requires a TLS client that supports and initiates a TLS session using SNI (Server Name Indication). If the TLS client does not support SNI, then the TLS server (ldap.google.com) returns a self-signed certificate that will not pass CA validation checks, to indicate that SNI is required.
            
            

            I get the same error if I run ldapsearch without the certificate, and with the certificate included.. however running openssl s_client I get a fully qualfied cert and intermediate cert.

             echo | openssl s_client -showcerts -connect ldap.google.com:636
            CONNECTED(00000003)
            depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
            verify return:1
            depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
            verify return:1
            depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = ldap.google.com
            verify return:1
            ---
            Certificate chain
             0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = ldap.google.com
               i:C = US, O = Google Trust Services, CN = GTS CA 1O1
            -----BEGIN CERTIFICATE-----
            MIIFljCCBH6gAwIBAgIRAIoX7ziwr6xtAwAAAADLP4gwDQYJKoZIhvcNAQELBQAw
            QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
            MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMTAxMjYwODUzNTlaFw0yMTA0MjAwODUz
            NThaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
            Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRgwFgYDVQQDEw9s
            ZGFwLmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI
            DsMlFHdqOF5oINuFWucHGB4tPn/e5+pCbILXIhTuysf6LX7/wx3UHgQFqk+xVF2D
            9jr9w3/4TvPhYwpSGV9zriL3HhIXdI7EDJk+glkkPbeJTjbU3VFN5bPFlQj2PzOk
            BhuPJYR21cOkAu/GrKcjY/CX/zNx2tyOs2vtmf/aJ3yI3J42lRemEc1VnFtM1BAl
            tx3vQ1dxyslANeBkLu5jV19uOdVSv/5PxzFPxb7Wb7NqrizAcnP+ZID0tKVVhNkp
            cu+iH9Eqt4zLyy2Day9XURLKVFacIbEzVuVRbvxtsFEICiUFiIxH7HGadVsWgP65
            SQOpnEH6niRDrQLcWUOlAgMBAAGjggJeMIICWjAOBgNVHQ8BAf8EBAMCBaAwEwYD
            VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUuYu8j9uF
            UDLGQiNrAlBYTB6ylX8wHwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/Ssw
            aAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzABhh9odHRwOi8vb2NzcC5wa2kuZ29v
            Zy9ndHMxbzFjb3JlMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9H
            VFMxTzEuY3J0MBoGA1UdEQQTMBGCD2xkYXAuZ29vZ2xlLmNvbTAhBgNVHSAEGjAY
            MAgGBmeBDAECAjAMBgorBgEEAdZ5AgUDMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6
            Ly9jcmwucGtpLmdvb2cvR1RTMU8xY29yZS5jcmwwggEFBgorBgEEAdZ5AgQCBIH2
            BIHzAPEAdwD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXc+HT/v
            AAAEAwBIMEYCIQC7cv324GDRYdeRJ0Befkpg+HtRQliMsG5GwE20hRS/1wIhAJAc
            knuz/JvQYkWoeZuNIN8nlyIJgihBhFmuamTfc8tXAHYARJRlLrDuzq/EQAfYqP4o
            wNrmgr7YyzG1P9MzlrW2gagAAAF3Ph1AKwAABAMARzBFAiEAyMzXk/cGMvCDP44J
            djHjmB31Xxk05WbTO43FXL2kS8oCIAzWIM2Ci0XSrAp8ggGcnvV6gWfk1MTwtdPx
            sS9iet3FMA0GCSqGSIb3DQEBCwUAA4IBAQBA8iajNZTnWSG4sMaCwe7H5pIqXmdp
            aPSB7O+kz47sgXmNvHxKDYKImRwNy0pOOozk7FoGclSn3uN4gez97cpKvmS3cigL
            PcWI7yAr0AliiEryl+MG6K4dRgw3ndTMdPoRU7D+UScHxKdGXM4sp2+259gSRsFo
            T89mXnjdNScYqxfbvC0eGOYZ3ubST8PxyvP7S+iRm4pyi7/47N6BW/HkPRfd8JOS
            zuUrhPsvSE/CgNZBBpMLLQhk+HWStQz+2JaRUo7lYTiITz/YJUMeT2CjbI5UPFjG
            WdB9MzyTemh66KlfM8HF6ZXyJqYW8AnfGi4xJ6/kA5+T/X0wA4uHxBsS
            -----END CERTIFICATE-----
             1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
               i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
            -----BEGIN CERTIFICATE-----
            MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
            HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
            U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
            MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
            U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA
            A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv
            UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr
            mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac
            xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK
            FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X
            rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV
            HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud
            EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G
            A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl
            BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp
            MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g
            BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y
            ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H
            TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN
            FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz
            mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW
            IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ
            USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
            -----END CERTIFICATE-----
            ---
            Server certificate
            subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = ldap.google.com
            
            issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
            
            ---
            No client certificate CA names sent
            Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
            Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512
            Peer signing digest: SHA256
            Peer signature type: RSA-PSS
            Server Temp Key: X25519, 253 bits
            ---
            SSL handshake has read 3062 bytes and written 429 bytes
            Verification: OK
            ---
            New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
            Server public key is 2048 bit
            Secure Renegotiation IS NOT supported
            Compression: NONE
            Expansion: NONE
            No ALPN negotiated
            Early data was not sent
            Verify return code: 0 (ok)
            ---
            DONE
            
            
            1 Reply Last reply Reply Quote 0
            • A
              assitenzatecnicaistituto
              last edited by

              Thanks BossaOps, I'm not exactly an expert, it was easy enough to do.
              So there's no way to fix it?

              B 2 Replies Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate
                last edited by

                Could you check /var/log/system.log for LDAP bind errors?

                pfSense PHP version supports SNI:
                OPENSSL_TLSEXT_SERVER_NAME = true
                see https://www.php.net/manual/en/openssl.constsni.php
                and ldapsearch is not used for it

                Redmine issue created: https://redmine.pfsense.org/issues/11626

                B 2 Replies Last reply Reply Quote 0
                • B
                  BossaOps @assitenzatecnicaistituto
                  last edited by

                  @assitenzatecnicaistituto I think it's going to take a little while to understand what changed, it should be solvable.

                  1 Reply Last reply Reply Quote 0
                  • B
                    BossaOps @viktor_g
                    last edited by

                    @viktor_g just that same old error I always get:

                    4 11:23:19 office-gateway php-fpm[35209]: /diag_authentication.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.
                    
                    

                    Same thing more or less in auth.log

                    Feb 24 17:12:58 office-gateway openvpn[345]: /openvpn.auth-user.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.
                    Mar  2 11:02:41 office-gateway php-fpm[96371]: /diag_authentication.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.
                    
                    

                    Is there any way to get a more complete error from that code? I had to add --ZZ to ldapsearch to get it to state what the error was, it would be nice to understand which of the many reasons the connection fails. As an aside, Cloud Identity LDAP does not actually use the bind credentials (you can connect without them). They will use them if the client insists on sending them.

                    Why do I need both a certificate and access credentials to authenticate LDAP clients?
                    
                    Only the certificate authenticates the LDAP client. The access credentials only exist if the client insists upon also sending a username and password. On their own, the access credentials don’t confer any access to the LDAP server or user data, but they should be kept secret to prevent them from being used to log in to certain LDAP clients.
                    
                    In the case where an LDAP client requires access credentials, we authenticate LDAP clients with both certificates and access credentials.
                    
                    1 Reply Last reply Reply Quote 0
                    • B
                      BossaOps @viktor_g
                      last edited by BossaOps

                      @viktor_g I guess your bug tracker is private, but I'd really like to inform Jim P that

                      1. Cloud Identity LDAP stopped working only when we upgraded to 2021.02
                      2. Services that are using connections to the same directory continue to run without issue so a google change is not the most likely culprit.
                      3. If you set up the stunnel part per this: https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html it works.
                      1 Reply Last reply Reply Quote 1
                      • B
                        BossaOps @assitenzatecnicaistituto
                        last edited by

                        @assitenzatecnicaistituto Actually, if you set up the stunnel package as per this page: https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html#install-the-stunnel-pfsense-package-ce-or-2-4-4-release

                        and configure it as indicated, the LDAP works again.

                        A R 2 Replies Last reply Reply Quote 1
                        • A
                          assitenzatecnicaistituto @BossaOps
                          last edited by

                          @bossaops thanks! You save me..

                          B 1 Reply Last reply Reply Quote 0
                          • B
                            BossaOps @assitenzatecnicaistituto
                            last edited by

                            @assitenzatecnicaistituto Piacere mio!

                            1 Reply Last reply Reply Quote 0
                            • R
                              racecarr @BossaOps
                              last edited by

                              @bossaops Thank you for providing this as a work around. Worked for my organization, as well. Hard to believe that NetGate would release an update that breaks existing functionality and not provide some notice about the fix.
                              I upgraded yesterday from 2.4.5 to 21.02.2 and the LDAP connection to Google IdP that had been working for almost a year instantly broke.
                              Switched to using stunnel as you suggested and we're back in business.

                              1 Reply Last reply Reply Quote 0
                              • A
                                Albertopfsense
                                last edited by

                                good morning
                                i have the same problem
                                this is last row of error report
                                69034 /diag_authentication.php: ERROR! Could not bind to LDAP server Google. Please check the bind credentials.
                                Jul 20 18:51:20 stunnel 69347 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
                                Jul 20 18:51:20 stunnel 69347 LOG3[0]: SSL_accept: /build/ce-crossbuild-252/sources/FreeBSD-src/crypto/openssl/ssl/record/rec_layer_s3.c:1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
                                Jul 20 18:51:20 stunnel 69347 LOG6[0]: Peer certificate not required
                                Jul 20 18:51:20 stunnel 69347 LOG5[0]: Service [Google] accepted connection from 127.0.0.1:50399
                                Jul 20 18:50:45 stunnel 67696 LOG5[ui]: Switched to chroot directory: /var/tmp/stunnel
                                Jul 20 18:50:45 stunnel 67696 LOG5[ui]: Configuration successful

                                what can i try to test the ldap functionality ?
                                thanks Alberto

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.