2.4.4_2 ldap with ssl failure



  • Hi @ all,

    the new version 2.4.4_2 seems to have an issue with the ldap ssl connection and an active directory backend. I got the following output after the update from 2.4.4_1 to 2.4.4_2:

    0_1546959399276_LDAP Fehler.PNG

    In the system logs i see the following message:

    Jan 8 14:51:56 	php-fpm 	950 	/index.php: ERROR! Could not bind to LDAP server dc01. Please check the bind credentials. 
    

    Without using ssl there is no issue!
    On my other cluster node, which has still version 2.4.4_1 everything works well.
    Is there anybody who has a clue whats the problem?
    If not, i might discovered a bug ...


  • Rebel Alliance Developer Netgate

    Nothing changed in LDAP between -p1 and -p2, so that should all work the same.

    Can you check the AD logs to see what it believes the problem may be?



  • @jimp
    Here is the event log entry from the domaincontroller:

    unknown_ca
    Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.
    

    0_1547116744414_0eaae254-05b5-422b-afa7-27c6df2089f7-grafik.png

    I have not changed any certificate or CA on the pfsense webgui. When i use the older version everything works very well.



  • Any ideas?


  • Rebel Alliance Developer Netgate

    Nothing changed in the SSL or CA setup on -p2 either. My TLS LDAP setup is still functioning, even on 2.4.5 snapshots.

    Do you have the correct CA chosen for the LDAP certificate in the LDAP server settings? I am using an LE cert on my LDAP server, so I use the Global Root CA List choice.

    If you make a change to the LDAP SSL settings, it's a good idea to use options 16 then 11 in the console (ssh or video/serial) to ensure PHP gets the environment setup properly.



  • @jimp
    I will reimport the Root CA Chain. What about the ldap log patch which you have created:

    0_1547535732303_80cf8c3d-d292-4255-9ab2-8adac1ef6ac5-grafik.png

    Is it still working with 2.4.4 ?
    I got the following error:

    0_1547535792993_51aec805-519a-416c-85ad-09944c85f26a-grafik.png


  • Rebel Alliance Developer Netgate

    No, that patch doesn't work. I haven't looked into turning that on in recent versions, that patch is super old.

    A packet capture of the exchange should show you the certificates being sent between client and server.