LDAP worked in 2.3, broke in 2.4 - ssl issue?



  • Hey folks,

    First as background, I'm using an external LDAP provider with no access to the server itself or logs. (and if that sounds crazy, I'll be able to explain in the near future. Imagine a cloud-based directory service…)

    This worked fine in 2.3. I upgraded to 2.4 and now we get the "cannot bind..." error.

    I suspect, as another user discovered and shared on a reddit post, this may be an SSL error.

    The LDAP provider's cert is a wildcard cert. So ldap.foo.bar uses *.foo.bar.

    Foo.bar is issued through a trusted root authority.

    I've tried pulling down every cert in the chain using:

     openssl s_client -connect  ldap.foo.bar:636 -showcerts
    

    I've also tried concat'ing everything together and using that in the LDAP setup in PF. Neither works.

    Anyone have any troubleshooting tips or ideas?


  • Rebel Alliance Developer Netgate

    I'm not sure what might have changed there, since LDAP should have failed before with that config as well (unless you imported the root CA and all intermediates).

    I added a fix on 2.4.2 last week to choose the global root CA list for these situations: https://redmine.pfsense.org/issues/8044



  • Thanks Jimp!

    Quick note to close (for now) the loop on this thread….

    I've reproduced the problem with my own local LDAP server and can confirm the suggested fix works (in that instance).

    Using

      openssl s_client -connect  ldap.foo.bar:636 -showcerts
    
    

    I was able to pull each individual cert and try each one in the LDAP config until I found the intermediate that worked :)

    I still have an issue with a remote LDAP server that is out of my control (so I can't view its logs, etc) where that trick is not working…but it's a beta service (from a big, huge, giant of identity services) and I suspect we'll learn more as we continue to test with them. In the mean time, they've provided a nice proxy service as a workaround.



  • Hello there,

    I jump on this tread (i hope it's ok for me doing it) because i encounter the same behavior even with the last update.
    My LDAP is using letsencryptcertificate generated by Acme on my pfsense. The LDAP is an openldap hosted on a Nethserver.
    I'm unable to bind using SSL/Starttls.
    I search online how to get more logs on the pfsense but all i found was a patch for 2.3.
    Could someone have a look on my issue or should i open a different topic.

    Please let me know how i can be usefull.

    Regards,


  • Rebel Alliance Developer Netgate

    If it is this issue, then you must upgrade to pfSense 2.4.2 or later. Once you are on 2.4.2, you can edit the LDAP server entry on pfSense and for the Peer Certificate Authority, set it to Global Root CA List

    You might also have to go to the console/ssh and use options 16 and then 11 to make PHP pick up that change, PHP's LDAP code caches some things weirdly.

    If that doesn't fix it, start a new thread.



  • @jimp:

    If it is this issue, then you must upgrade to pfSense 2.4.2 or later. Once you are on 2.4.2, you can edit the LDAP server entry on pfSense and for the Peer Certificate Authority, set it to Global Root CA List

    This is a great fix BTW!
    Fingers crossed that it migrates to FreeRADIUS package too :)


Log in to reply