Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.4.4_2 ldap with ssl failure

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    7 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      streetsfinest
      last edited by

      Hi @ all,

      the new version 2.4.4_2 seems to have an issue with the ldap ssl connection and an active directory backend. I got the following output after the update from 2.4.4_1 to 2.4.4_2:

      0_1546959399276_LDAP Fehler.PNG

      In the system logs i see the following message:

      Jan 8 14:51:56 	php-fpm 	950 	/index.php: ERROR! Could not bind to LDAP server dc01. Please check the bind credentials. 
      

      Without using ssl there is no issue!
      On my other cluster node, which has still version 2.4.4_1 everything works well.
      Is there anybody who has a clue whats the problem?
      If not, i might discovered a bug ...

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Nothing changed in LDAP between -p1 and -p2, so that should all work the same.

        Can you check the AD logs to see what it believes the problem may be?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        S 1 Reply Last reply Reply Quote 0
        • S
          streetsfinest @jimp
          last edited by streetsfinest

          @jimp
          Here is the event log entry from the domaincontroller:

          unknown_ca
          Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.
          

          0_1547116744414_0eaae254-05b5-422b-afa7-27c6df2089f7-grafik.png

          I have not changed any certificate or CA on the pfsense webgui. When i use the older version everything works very well.

          1 Reply Last reply Reply Quote 0
          • S
            streetsfinest
            last edited by

            Any ideas?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Nothing changed in the SSL or CA setup on -p2 either. My TLS LDAP setup is still functioning, even on 2.4.5 snapshots.

              Do you have the correct CA chosen for the LDAP certificate in the LDAP server settings? I am using an LE cert on my LDAP server, so I use the Global Root CA List choice.

              If you make a change to the LDAP SSL settings, it's a good idea to use options 16 then 11 in the console (ssh or video/serial) to ensure PHP gets the environment setup properly.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              S 1 Reply Last reply Reply Quote 0
              • S
                streetsfinest @jimp
                last edited by

                @jimp
                I will reimport the Root CA Chain. What about the ldap log patch which you have created:

                0_1547535732303_80cf8c3d-d292-4255-9ab2-8adac1ef6ac5-grafik.png

                Is it still working with 2.4.4 ?
                I got the following error:

                0_1547535792993_51aec805-519a-416c-85ad-09944c85f26a-grafik.png

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  No, that patch doesn't work. I haven't looked into turning that on in recent versions, that patch is super old.

                  A packet capture of the exchange should show you the certificates being sent between client and server.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.