pfsense authentication server ldaps / wildcard problem
-
I think I have covered everything that is mentioned here https://docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html#Debugging_LDAP
-
Now I'm trying to wrap my head around this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/auth.inc to understand where the checks are actually made.
-
I think I have verified that the "Entrust Certification Authority - L1K" is not in /usr/local/share/certs/ca-root-nss.crt. Hence Global CA list will never work with the Entrust certs. Choosing any of the intermediates in the chain does not work either, as explained in the previous posts.
-
So really, any discussion or commentary would be appreciated here.
-
Is it appropriate to say I would gladly pay a 100€ "bounty" if this could be fixed?
-
@tsmalmbe Please create a detailed bugreport:
https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html -
@viktor_g It is here https://redmine.pfsense.org/issues/11332
-
There aren't enough details here yet to say what the problem is for sure. But your best bet is to use a 2.5.0 snapshot.
Import the chain into 2.5.0, and for the root and intermediates, check the box that adds them to the trust store.
The PHP LDAP code is cranky sometimes, but that can help. Also, when debugging, after any change in the LDAP settings, open a console menu and run option 16 then option 11.
If none of that helps, I'm not sure there is anything we can do to fix it -- it could be a problem in PHP LDAP itself.
We've also recently found that some things won't trust wildcard certificates on purpose, so you might try a server cert with only the SAN for the hostname if you can.
-
@jimp Okay, thanks for the input. I don't have the possibility to (easily) setup a test environment with a new version of the software, so I will have to test this once there is a release available.
-
An update to this - there has been no change/improvement to this with 2.5.0 nor 2.5.1.