google LDAP connection failed
-
Thanks BossaOps, I'm not exactly an expert, it was easy enough to do.
So there's no way to fix it? -
Could you check
/var/log/system.logfor LDAP bind errors?pfSense PHP version supports SNI:
OPENSSL_TLSEXT_SERVER_NAME = true
see https://www.php.net/manual/en/openssl.constsni.php
andldapsearchis not used for itRedmine issue created: https://redmine.pfsense.org/issues/11626
-
@assitenzatecnicaistituto I think it's going to take a little while to understand what changed, it should be solvable.
-
@viktor_g just that same old error I always get:
4 11:23:19 office-gateway php-fpm[35209]: /diag_authentication.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.Same thing more or less in auth.log
Feb 24 17:12:58 office-gateway openvpn[345]: /openvpn.auth-user.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials. Mar 2 11:02:41 office-gateway php-fpm[96371]: /diag_authentication.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.Is there any way to get a more complete error from that code? I had to add --ZZ to ldapsearch to get it to state what the error was, it would be nice to understand which of the many reasons the connection fails. As an aside, Cloud Identity LDAP does not actually use the bind credentials (you can connect without them). They will use them if the client insists on sending them.
Why do I need both a certificate and access credentials to authenticate LDAP clients? Only the certificate authenticates the LDAP client. The access credentials only exist if the client insists upon also sending a username and password. On their own, the access credentials don’t confer any access to the LDAP server or user data, but they should be kept secret to prevent them from being used to log in to certain LDAP clients. In the case where an LDAP client requires access credentials, we authenticate LDAP clients with both certificates and access credentials. -
@viktor_g I guess your bug tracker is private, but I'd really like to inform Jim P that
- Cloud Identity LDAP stopped working only when we upgraded to 2021.02
- Services that are using connections to the same directory continue to run without issue so a google change is not the most likely culprit.
- If you set up the stunnel part per this: https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html it works.
-
@assitenzatecnicaistituto Actually, if you set up the stunnel package as per this page: https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html#install-the-stunnel-pfsense-package-ce-or-2-4-4-release
and configure it as indicated, the LDAP works again.
-
@bossaops thanks! You save me..
-
@assitenzatecnicaistituto Piacere mio!
-
@bossaops Thank you for providing this as a work around. Worked for my organization, as well. Hard to believe that NetGate would release an update that breaks existing functionality and not provide some notice about the fix.
I upgraded yesterday from 2.4.5 to 21.02.2 and the LDAP connection to Google IdP that had been working for almost a year instantly broke.
Switched to usingstunnelas you suggested and we're back in business. -
good morning
i have the same problem
this is last row of error report
69034 /diag_authentication.php: ERROR! Could not bind to LDAP server Google. Please check the bind credentials.
Jul 20 18:51:20 stunnel 69347 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jul 20 18:51:20 stunnel 69347 LOG3[0]: SSL_accept: /build/ce-crossbuild-252/sources/FreeBSD-src/crypto/openssl/ssl/record/rec_layer_s3.c:1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jul 20 18:51:20 stunnel 69347 LOG6[0]: Peer certificate not required
Jul 20 18:51:20 stunnel 69347 LOG5[0]: Service [Google] accepted connection from 127.0.0.1:50399
Jul 20 18:50:45 stunnel 67696 LOG5[ui]: Switched to chroot directory: /var/tmp/stunnel
Jul 20 18:50:45 stunnel 67696 LOG5[ui]: Configuration successfulwhat can i try to test the ldap functionality ?
thanks Alberto
