Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ext. LDAPS auth flapping after CA import -> only working after restart

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 282 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeGrJ
      JeGr LAYER 8 Moderator
      last edited by

      Hi all,

      we're encountering a strange phenomenom: We were in progress of migrating authentication of e.g. OpenVPN via our internal AD. Until now it was simple tcp/389 ldap so we switched to tcp/636 SSL mode and had a few hickups:

      1. after defining the hostname instead of the IP for certificate reasons it wouldn't work as we had not imported the windows CA beforehand
      2. imported CA
      3. checked all settings

      This resulted in the following behavior on the CARP master:

      • Diagnostic/Authentication
      • selected LDAP/AD config
      • checked with my user
      • hit submit multiple times, sometimes it worked (green bar), sometimes it won't!

      Huh? Now we checked on the standby node. Same steps but every click on submit was answered in green. Connection was successful! Back to primary node -> flapping. We had no answer to the problem until we rebooted the node as we had to update it from -p2 to -p3 ... and now it worked. WTF?

      Checked both, standby and master again -> it worked. Flawlessly. So somehow after importing the MS AD CA it won't get correctly read by the master/both? nodes but syncing to the second node seemes to trigger some mechanism, that the standby node has less/no problems authenticating against the ldaps:// connection.

      So question is: HOW can I trigger that on the master without a simple restart? As we had an internal (MS) problem yesterday the MS AD internal CA had to be replaced and the AD/LDAP cert is now signed by a new server cert against a newer CA. Imported that new CA and we are back to square one with service/authentication flapping and not authenticating properly. As we can't simply restart neither internal nor external cluster at will as there is customer impact, I'd be more then happy if someone could explain WTF is happening there ;)

      Thanks in advance,
      Jens

      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Because of the, let's say "suboptimal", way that PHP requires setting up the LDAP environment for certs, it tends to not be reliable after making changes. It doesn't always happen, but you need to restart PHP-FPM and the GUI web server to be sure it's using the correct environment when it does. A reboot does that, or use the console options 16 and 11 (in that order).

        I'd love to fix it, but the new method still isn't working in PHP: https://redmine.pfsense.org/issues/9417

        If you really want to be sure it works, then you could always use a CA for LDAP that can be validated against the global root CA list, like one from Let's Encrypt.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          @jimp said in ext. LDAPS auth flapping after CA import -> only working after restart:

          Because of the, let's say "suboptimal", way that PHP requires setting up the LDAP environment for certs

          I really laughed hard at "suboptimal" ๐Ÿ˜ That's why we love PHP ;)

          If you really want to be sure it works, then you could always use a CA for LDAP that can be validated against the global root CA list, like one from Let's Encrypt.

          Ah nice idea! Even if not possible ATM as that would mean re-organizing the internal AD and dependencies but a good thought for an update later along the road.

          I'd love to fix it, but the new method still isn't working in PHP: https://redmine.pfsense.org/issues/9417

          Will have an eye on that one :)

          Thanks for the hint about restarting, after restarting PHP-FPM, WebGUI and the OpenVPN servers that used the LDAPS connection all is working again!

          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.