Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple IP Addresses for LDAP Server

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yakatz
      last edited by

      One of our LDAP servers failed and our OpenVPN stopped working because that was the only LDAP server set up in the firewall. Is there a way to specify multiple IP addresses for the LDAP server in the pfSense Authentication Server configuration? Since each server has the same configuration, it seems like it shouldn't be necessary to set it up as a completely new server. This is especially true because we have three different sets of servers, so we would end up having a very large number of servers tried unnecessarily when authenticating against the later domains on the list.

      viktor_gV 1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate @yakatz
        last edited by

        @yakatz You can create LDAP server entry for each IP address and select all of them on the OpenVPN server configuration page

        1 Reply Last reply Reply Quote 0
        • Y
          yakatz
          last edited by

          @viktor_g said in Multiple IP Addresses for LDAP Server:

          @yakatz You can create LDAP server entry for each IP address and select all of them on the OpenVPN server configuration page

          I understand that, but let me restate the concern with doing that:

          I have two different domains:
          e969ed08-6454-4f22-86b2-c6056add4aa6-image.png

          If I had to create separate server entries, if a server responds that a user is not valid, won't OpenVPN just try the next server for the same domain? This seems like substantial extra load, especially if some of those servers are accessed over a VPN to another site (Domain A - Server 3 in this example).
          23c27b2b-4cd1-4145-83d0-769bb3e8e36a-image.png

          Is there any way to do something like this, so if the server returns that a user is not valid, OpenVPN will move on to the next domain?
          0d44feaf-b598-4605-9ab6-3c13a1f962ba-image.png

          1 Reply Last reply Reply Quote 0
          • hydrianH
            hydrian
            last edited by

            If they are all the same LDAP tree, why not create TCP HA-Proxy VIP even if it just for localhost?

            Y 1 Reply Last reply Reply Quote 0
            • Y
              yakatz @hydrian
              last edited by

              @hydrian Interesting idea. I will give it a try and report back here.

              1 Reply Last reply Reply Quote 0
              • Y
                yakatz
                last edited by

                Looking at the source: for the record, PHP's ldap_connect supports multiple connection strings, but there is some validation done in the src/etc/inc/auth.inc#L1423 which builds the connection string in a way that can't add multiple strings. I might look at a patch for this myself too.

                hydrianH 1 Reply Last reply Reply Quote 0
                • hydrianH
                  hydrian @yakatz
                  last edited by

                  @yakatz Also a word of warning, as some who deals with PHP's LDAP bindings on a regular basis, ldap_connect is incredibly picky about TLS/SSL connections. And until about PHP 7.3, they are very hard to override and allow insecure connection even for testing.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.