Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AD Auth cache?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 752 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mmerlone
      last edited by

      Hi all,

      We have a pfsense server with openvpn road warriors set to auth over our AD domain. Works like a charm.
      Now I have to kick a user from the service, I lock his account on AD, but pfsense still auth this user for openvpn as if it were not locked.
      Is there some cache made by pfsense? How can I prevent those locked users from login in openvpn?

      Thanks, best regards.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Is it falling back to local auth? Does that user exist locally?

        If you test from Diag > Auth against AD does it show success there. Not much pfSense can do if it does.

        Steve

        1 Reply Last reply Reply Quote 0
        • M Offline
          mmerlone
          last edited by

          Is it falling back to local auth? Does that user exist locally?

          No and no.

          If you test from Diag > Auth against AD does it show success there. Not much pfSense can do if it does.

          I just don't understand: a joe.doe login is locked out from AD and becomes unable to auth on any service, be it dovecot, postfix, squid, samba, windows, php apps, etc. Why doesn't my pfsense?

          For instance, for now I'm using an extended query to quickly kick undesired users like this, if that matters or help:

          (&(objectClass=user)(!(|(uid=joe.doe)(uid=foo.bar))))
          

          And the question remains: how can i debug this lock issue, how to make pfsense honor AD account lockout?

          Thanks, best regards.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            So you are saying AD still returns success for that account when you test it from the webgui in Diag > Auth?

            Steve

            1 Reply Last reply Reply Quote 0
            • M Offline
              mmerlone
              last edited by

              Yes, a locked user on AD still returns success on Diag -> Auth and thus is able to auth and use the vpn connection.

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Ok well that's a question for AD, why is it returning success there?
                pfSense is just reflecting the returned successful authentication.

                Steve

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mmerlone
                  last edited by

                  The question remains: why just pfsense while all other services honor the lock? I am not saying it is a pfsense bug, but rather some mis-configuration on my side, how can I find what's wrong?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    I'd have to guess it's because you are locking the account rather than disabling or removing it. AD it probably returning that in some additional string that only applies to Windows and not general LDAP auth.
                    Try running a pcap and see what it's sending if you can. If any of it in unencrypted.
                    I doubt you are the first to hit this.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.