Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.3.2 LDAPS ldap_get_groups() error

    Scheduled Pinned Locked Moved webGUI
    4 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ovprit
      last edited by

      I'm having trouble with Active Directory LDAPS on pfSense 2.3.2. We recently upgraded our domain from 2003 to 2008 and switched the LDAPS authentication server as well. Previously LDAPS worked with a self-signed certificate on the old 2003 server. We generated a new self-signed certificate on the new AD server and put it into the certmanager. The only settings changed on the Authentication Servers section is the hostname and the certificate. pfsense is now generating the following errors and ldap users cannot log in.

      When doing a test connection:
      Attempting connection to ldapserver.example.com OK
      Attempting bind to ldapserver.example.com failed

      In the System-General log file:
      ERROR! ldap_get_groups() could not bind to server ldapserver.example.com (Can't contact LDAP server).

      As a test, I tried the connection over port 389 with "TCP - Standard connection" and it works correctly. Bind is successful and all the users/groups can connect.

      I've verified the self-signed certificate is correct, the CN value matches the hostname, etc. I've tested the LDAPS connection with another linux server using both ldapsearch and apache2 authentication successfully, so the certificate is correct and LDAPS working from other systems.

      Here are the Authentication Servers settings on pfSense with anonymous values. Any advice or suggestions is appreciated!

      LDAP Settings
      Hostname: ldapserver.example.com
      Port value: 636
      Transport: SSL Encrypted
      Protocol version: 3
      Server Timeout: 10
      Base DN: DC=example,DC=com
      Authentication containers: OU=IT,OU=People,DC=example,DC=com
      Extended query: Unchecked
      Bind anonymous: Unchecked
      Bind credentials: CN=LDAP User,CN=Users,DC=example,DC=com
      User naming attribute: sAMAccountName
      Group naming attribute: memberOf
      Group member attribute: memberOf
      RFC 2307 Groups: Unchecked
      Group Object Class: posixGroup
      UTF8 Encode: Unchecked
      Username Alterations: Unchecked

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Is the CN of the new server cert ldapserver.example.com ?

        Read all the requirements here:
        https://doc.pfsense.org/index.php/LDAP_Troubleshooting#Connection-Related_Issues_.28SSL.29

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • O
          ovprit
          last edited by

          Thank you for the reply. Here's an update to my further troubleshooting.

          I ran a packet capture from pfsense and get back the following error info:
          TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

          Running openssl s_client returns the following:

          $ openssl s_client -showcerts -CAfile ldapserver.crt -connect ldapserver.example.com:636

CONNECTED(00000004)
depth=0 CN = ldapserver.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ldapserver.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=ldapserver.example.com
   i:/CN=ldapserver.example.com
-----BEGIN CERTIFICATE-----
 <cert data="">-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ldapserver.example.com
issuer=/CN=ldapserver.example.com
---
No client certificate CA names sent
---
SSL handshake has read 1699 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 9536000097F48FE649EBE595DEEA67A9FEDBF16E4F3E7BA5171DF6E60A2A093E
    Session-ID-ctx:
    Master-Key: 77E1BA1131AABA69DF2BBB01171779E5FF979CE538E0FBCE2CAE3BF9B6445ED72E00170B3FCA9693F67357DEC274F049
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1471367240
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)</cert>

          I've verified that:

          • The AD server is open on port 636 to the pfsense host
          • The cert contains the correct CN and DNS subject alt names
          • The cert contains the Enhanced Key Usage extension Server Authentication (1.3.6.1.5.5.7.3.1)
          • A windows machine using LDP.exe with the same imported cert can connect to the AD server over 636, bind, and do an ldap search returning the expected results

          The ldp.exe result has convinced me this is a pfsense problem, as I'm able to connect to ldapserver.example.com with the same self-signed cert via LDAPS using numerous other machines and services.

          One of the suggestions I saw elsewhere is "to import the self-signed cert into the CA certs directory on pfsense", but I'm not sure where that directory is. Any suggestions?

          1 Reply Last reply Reply Quote 0
          • G
            gek
            last edited by

            Guys, i really sorry for my english  :'(

            @jimp:

            Is the CN of the new server cert ldapserver.example.com ?

            Read all the requirements here:
            https://doc.pfsense.org/index.php/LDAP_Troubleshooting#Connection-Related_Issues_.28SSL.29

            Hostname Required

            When connecting to LDAP with SSL, the hostname given for the server is also used to verify the server certificate. The server certificate's common name must be its hostname, and that hostname must resolve to the LDAP server's IP address, e.g. CN=ldap.example.com, and ldap.example.com is 192.168.1.5.

            Let me ask a little thing - does it mean that CommonName of the RootCertificate of CA must match FQDN of machine on which CA is deployed?

            I decide to try LDAPS authentication after upgrade to v2.3 and i'm confused now.
            I have "WIN2008R2 with DNS+AD+CA"=$computer hereinafter ===> authentication from PFSENSE over LDAPS works!…... then does not works..... then works again, i cannot understand why it happens.

            CommonName of mine CA's root certificate in not match FQDN of computer,
            BUT i had success LDAP container tree request over TLS and authenticate test in diagnostics have passed success (i captured it by wireshark on computer), then goes some time and it does not work (exactly same issue like ovprit - same error in wireshark's capture and same openssl s_client -connect output) Difference is:
            when i type openssl s_client -showcerts -connect dc.local.domain:636
            there is answer:

            CONNECTED(000000004)
            –-
            Certificate chain
            0 s:/CN=dc.local.domain
              i:/DC=domain/DC=local/CN=local-DC-CA  #stupid mistake, agreedisagree
            –---BEGIN CERTIFICATE-----

            -----END CERTIFICATE-----
            Server certificate
            subject=/CN=dc.local.domain
            issuer=/DC=domain/DC=local/CN=local-DC-CA

            To make it works i do stupid actions like: i've done two autentication server in pfsense - local.domain (old) and test (new).

            Authentication servers=> test (settings like ovprit,besides server address) => select a container => "Could not connect to the LDAP server. Please check the LDAP configuration" on bottom of the page.

            =>changing Transport to "TCP - standart" => select container (tree is appear, i see captured raw ldap requests in wireshark on computer:389) => save.

            =>Authentication Servers => local.domain (settings like ovprit) => change Transport to TCP - standart => save.

            =>Authentication Servers => test (settings like ovprit but Transport is TCP) => change Transport to SSL - encrypted => Select a container (tree is appears and i can see good tls session in wireshark on computer:636) => save.
            Now i can success test authenticate in diagnostics and can to see TLS session in wireshark.

            But then after some time has gone, it's breakes down and voila! i have issue like ovprit.

            Update#1
            I don't know why does it worked before. What i've done:
            1. Imported ROOT CA public certificate without private key
            2. Choosed it in Authentication servers => edit server =>Peer Certificate Authority
            3. Profit? :S Authentication Server save and test passed success.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.