ext. LDAPS auth flapping after CA import -> only working after restart


  • LAYER 8 Moderator

    Hi all,

    we're encountering a strange phenomenom: We were in progress of migrating authentication of e.g. OpenVPN via our internal AD. Until now it was simple tcp/389 ldap so we switched to tcp/636 SSL mode and had a few hickups:

    1. after defining the hostname instead of the IP for certificate reasons it wouldn't work as we had not imported the windows CA beforehand
    2. imported CA
    3. checked all settings

    This resulted in the following behavior on the CARP master:

    • Diagnostic/Authentication
    • selected LDAP/AD config
    • checked with my user
    • hit submit multiple times, sometimes it worked (green bar), sometimes it won't!

    Huh? Now we checked on the standby node. Same steps but every click on submit was answered in green. Connection was successful! Back to primary node -> flapping. We had no answer to the problem until we rebooted the node as we had to update it from -p2 to -p3 ... and now it worked. WTF?

    Checked both, standby and master again -> it worked. Flawlessly. So somehow after importing the MS AD CA it won't get correctly read by the master/both? nodes but syncing to the second node seemes to trigger some mechanism, that the standby node has less/no problems authenticating against the ldaps:// connection.

    So question is: HOW can I trigger that on the master without a simple restart? As we had an internal (MS) problem yesterday the MS AD internal CA had to be replaced and the AD/LDAP cert is now signed by a new server cert against a newer CA. Imported that new CA and we are back to square one with service/authentication flapping and not authenticating properly. As we can't simply restart neither internal nor external cluster at will as there is customer impact, I'd be more then happy if someone could explain WTF is happening there ;)

    Thanks in advance,
    Jens


  • Rebel Alliance Developer Netgate

    Because of the, let's say "suboptimal", way that PHP requires setting up the LDAP environment for certs, it tends to not be reliable after making changes. It doesn't always happen, but you need to restart PHP-FPM and the GUI web server to be sure it's using the correct environment when it does. A reboot does that, or use the console options 16 and 11 (in that order).

    I'd love to fix it, but the new method still isn't working in PHP: https://redmine.pfsense.org/issues/9417

    If you really want to be sure it works, then you could always use a CA for LDAP that can be validated against the global root CA list, like one from Let's Encrypt.


  • LAYER 8 Moderator

    @jimp said in ext. LDAPS auth flapping after CA import -> only working after restart:

    Because of the, let's say "suboptimal", way that PHP requires setting up the LDAP environment for certs

    I really laughed hard at "suboptimal" 😁 That's why we love PHP ;)

    If you really want to be sure it works, then you could always use a CA for LDAP that can be validated against the global root CA list, like one from Let's Encrypt.

    Ah nice idea! Even if not possible ATM as that would mean re-organizing the internal AD and dependencies but a good thought for an update later along the road.

    I'd love to fix it, but the new method still isn't working in PHP: https://redmine.pfsense.org/issues/9417

    Will have an eye on that one :)

    Thanks for the hint about restarting, after restarting PHP-FPM, WebGUI and the OpenVPN servers that used the LDAPS connection all is working again!


Log in to reply