Unable to authenticate users over authentication server LDAP (upgrade 2.5.0)
-
Hi there,
I've been set up an LDAP authentication server for remote user authentication (OpenVPN users). Everything worked fine on 2.4.4 and 2.4.5 versions.
Once I upgrade to version 2.5.0, my authentications server does not work anymore. I was testing with LDAPS and LDAP (389) and fails too.I use LDAPS authentication against Microsoft AD (port 636). I was testing my LDAPS configuration with other tools (e.g. apache management studio) and works fine.
Anyone with a similar issue, or could help me with this issue?
Thanks!
-
@marco-aurelio-costa Did you fix it? I'm having the same problem?
-
@marco-aurelio-costa Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/
-
@marco-aurelio-costa You could try to apply Patch ID be444914b22fd4722c9df1e1139b6e2d7d1618b9
-
Having same LDAP authentication issue after upgrading from 2.4.5-p1 to 21.02.2:
May 5 08:12:14 pfsense openvpn[78072]: user 'user1' could not authenticate.
Unchecking "Extended Query" also does the trick for me in a sense of /diag_authentication.php test passing (which otherwise fails).
Not a real solution though as in my "Extended Query" I require for a user to be a member of a specific group in order to use OpenVPN:
memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk
What's the bottom line of this? A bug? Missing functionality? Is it expected to start working in the next 21.x release?
-
@adamw Could you provide more info about your pfSense LDAP configuration and LDAP schema?
It works fine for me with Windows AD / FreeIPA LDAP authentication.
-
@marcio-oliveira Many other issues have appeared when in the upgrade to the latest version. So, the quick solution was to downgrade to the latest stable version.
-
@adamw Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/
-
Not a good solution, I need to use my extended query.
-
@adamw did you tried?I need to use my query too. When I disabled this option my query begin work.
-
@marcio-oliveira
No, I haven't tried going live with it.All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".
Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?
-
@adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):
No, I haven't tried going live with it.
All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".
Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?Yes, I'm!
-
I've messaged you my settings in a chat.
They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.
New settings or defaults perhaps?
When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:
- Shell Authentication Group DN
- Allow unauthenticated bind
-
Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):
Notifications in this message: 1 ================================ 3:01:00 The following CA/Certificate entries are expiring: Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago Certificate: webConfigurator default (386d44fb99181): Expired 5796 days ago
We have always used port 389 for LDAP authentication.
Did the firewall swap attempt that trigger it? Is this related to our issue?
-
@adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):
Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):
Notifications in this message: 1 ================================ 3:01:00 The following CA/Certificate entries are expiring: Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago Certificate: webConfigurator default (386d44fb99181): Expired 5796 days ago
We have always used port 389 for LDAP authentication.
Did the firewall swap attempt that trigger it? Is this related to our issue?
Is this a Netgate appliance?
Please update to the latest pfSense version or apply patch from the https://redmine.pfsense.org/issues/11504 -
@adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):
I've messaged you my settings in a chat.
I'll check it,
but nothing special at first glance..They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.
New settings or defaults perhaps?
When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:
- Shell Authentication Group DN
Related to "LDAP authentication for SSH users":
https://redmine.pfsense.org/issues/8698- Allow unauthenticated bind
MS AD issue(feature?)
See https://redmine.pfsense.org/issues/9909 -
Yes, we have 3 x Netgate SG-3100. TBH I didn't realise the CPU was 32 bit, not 64.
I think I'll wait with an update as it doesn't cause any practical issues and only sends that alert. I was just wondering if it's directly related but seems like it's not.
-
Still an issue in 22.01 (pfSense+). The same workaround applies i.e. turning off "Extended Query" in LDAP authentication.
Still not ideal since it doesn't allow fine grain control over which AD users are allowed to use OpenVPN service.Has anybody come up with a better workaround?
Would it make sense to use Client Specific Overrides option for access restriction?