-
@adamw Could you provide more info about your pfSense LDAP configuration and LDAP schema?
It works fine for me with Windows AD / FreeIPA LDAP authentication.
-
@marcio-oliveira Many other issues have appeared when in the upgrade to the latest version. So, the quick solution was to downgrade to the latest stable version.
-
@adamw Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/
-
Not a good solution, I need to use my extended query.
-
@adamw did you tried?I need to use my query too. When I disabled this option my query begin work.
-
@marcio-oliveira
No, I haven't tried going live with it.All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".
Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?
-
@adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):
No, I haven't tried going live with it.
All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".
Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?Yes, I'm!
-
I've messaged you my settings in a chat.
They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.
New settings or defaults perhaps?
When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:
- Shell Authentication Group DN
- Allow unauthenticated bind
-
Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):
Notifications in this message: 1 ================================ 3:01:00 The following CA/Certificate entries are expiring: Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago Certificate: webConfigurator default (386d44fb99181): Expired 5796 days agoWe have always used port 389 for LDAP authentication.
Did the firewall swap attempt that trigger it? Is this related to our issue?
-
@adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):
Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):
Notifications in this message: 1 ================================ 3:01:00 The following CA/Certificate entries are expiring: Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago Certificate: webConfigurator default (386d44fb99181): Expired 5796 days agoWe have always used port 389 for LDAP authentication.
Did the firewall swap attempt that trigger it? Is this related to our issue?
Is this a Netgate appliance?
Please update to the latest pfSense version or apply patch from the https://redmine.pfsense.org/issues/11504 -
@adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):
I've messaged you my settings in a chat.
I'll check it,
but nothing special at first glance..They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.
New settings or defaults perhaps?
When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:
- Shell Authentication Group DN
Related to "LDAP authentication for SSH users":
https://redmine.pfsense.org/issues/8698- Allow unauthenticated bind
MS AD issue(feature?)
See https://redmine.pfsense.org/issues/9909 -
Yes, we have 3 x Netgate SG-3100. TBH I didn't realise the CPU was 32 bit, not 64.
I think I'll wait with an update as it doesn't cause any practical issues and only sends that alert. I was just wondering if it's directly related but seems like it's not.
-
Still an issue in 22.01 (pfSense+). The same workaround applies i.e. turning off "Extended Query" in LDAP authentication.
Still not ideal since it doesn't allow fine grain control over which AD users are allowed to use OpenVPN service.Has anybody come up with a better workaround?
Would it make sense to use Client Specific Overrides option for access restriction?
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.