• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unable to authenticate users over authentication server LDAP (upgrade 2.5.0)

Scheduled Pinned Locked Moved OpenVPN
18 Posts 4 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    Marco Aurelio Costa
    last edited by Mar 23, 2021, 6:22 PM

    Hi there,

    I've been set up an LDAP authentication server for remote user authentication (OpenVPN users). Everything worked fine on 2.4.4 and 2.4.5 versions.
    Once I upgrade to version 2.5.0, my authentications server does not work anymore. I was testing with LDAPS and LDAP (389) and fails too.

    I use LDAPS authentication against Microsoft AD (port 636). I was testing my LDAPS configuration with other tools (e.g. apache management studio) and works fine.

    Anyone with a similar issue, or could help me with this issue?

    Thanks!

    M V 3 Replies Last reply Mar 25, 2021, 1:54 PM Reply Quote 0
    • M
      marcio.oliveira @Marco Aurelio Costa
      last edited by Mar 25, 2021, 1:54 PM

      @marco-aurelio-costa Did you fix it? I'm having the same problem?

      M 1 Reply Last reply May 5, 2021, 11:16 AM Reply Quote 0
      • M
        marcio.oliveira @Marco Aurelio Costa
        last edited by Mar 25, 2021, 2:45 PM

        @marco-aurelio-costa Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/

        1 Reply Last reply Reply Quote 2
        • V
          viktor_g Netgate @Marco Aurelio Costa
          last edited by Mar 25, 2021, 2:51 PM

          @marco-aurelio-costa You could try to apply Patch ID be444914b22fd4722c9df1e1139b6e2d7d1618b9

          see https://redmine.pfsense.org/issues/4521

          A 1 Reply Last reply May 5, 2021, 10:35 AM Reply Quote 1
          • A
            adamw @viktor_g
            last edited by May 5, 2021, 10:35 AM

            @viktor_g

            Having same LDAP authentication issue after upgrading from 2.4.5-p1 to 21.02.2:

            May  5 08:12:14 pfsense openvpn[78072]: user 'user1' could not authenticate.
            

            Unchecking "Extended Query" also does the trick for me in a sense of /diag_authentication.php test passing (which otherwise fails).

            Not a real solution though as in my "Extended Query" I require for a user to be a member of a specific group in order to use OpenVPN:

            memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk

            What's the bottom line of this? A bug? Missing functionality? Is it expected to start working in the next 21.x release?

            V M 2 Replies Last reply May 5, 2021, 11:08 AM Reply Quote 0
            • V
              viktor_g Netgate @adamw
              last edited by May 5, 2021, 11:08 AM

              @adamw Could you provide more info about your pfSense LDAP configuration and LDAP schema?

              It works fine for me with Windows AD / FreeIPA LDAP authentication.

              A 1 Reply Last reply May 5, 2021, 1:33 PM Reply Quote 0
              • M
                Marco Aurelio Costa @marcio.oliveira
                last edited by May 5, 2021, 11:16 AM

                @marcio-oliveira Many other issues have appeared when in the upgrade to the latest version. So, the quick solution was to downgrade to the latest stable version.

                1 Reply Last reply Reply Quote 0
                • M
                  marcio.oliveira @adamw
                  last edited by May 5, 2021, 11:36 AM

                  @adamw Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/

                  A 1 Reply Last reply May 5, 2021, 11:50 AM Reply Quote 0
                  • A
                    adamw @marcio.oliveira
                    last edited by May 5, 2021, 11:50 AM

                    @marcio-oliveira

                    Not a good solution, I need to use my extended query.

                    M 1 Reply Last reply May 5, 2021, 12:09 PM Reply Quote 0
                    • M
                      marcio.oliveira @adamw
                      last edited by May 5, 2021, 12:09 PM

                      @adamw did you tried?I need to use my query too. When I disabled this option my query begin work.

                      A 1 Reply Last reply May 5, 2021, 12:22 PM Reply Quote 0
                      • A
                        adamw @marcio.oliveira
                        last edited by May 5, 2021, 12:22 PM

                        @marcio-oliveira
                        No, I haven't tried going live with it.

                        All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".

                        Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?

                        M 1 Reply Last reply May 5, 2021, 12:36 PM Reply Quote 0
                        • M
                          marcio.oliveira @adamw
                          last edited by May 5, 2021, 12:36 PM

                          @adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):

                          No, I haven't tried going live with it.
                          All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".
                          Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?

                          Yes, I'm!

                          1 Reply Last reply Reply Quote 0
                          • A
                            adamw @viktor_g
                            last edited by May 5, 2021, 1:33 PM

                            @viktor_g

                            I've messaged you my settings in a chat.

                            They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.

                            New settings or defaults perhaps?

                            When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:

                            • Shell Authentication Group DN
                            • Allow unauthenticated bind
                            A V 2 Replies Last reply May 6, 2021, 11:26 AM Reply Quote 0
                            • A
                              adamw @adamw
                              last edited by May 6, 2021, 11:26 AM

                              Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):

                              Notifications in this message: 1
                              ================================
                              
                              3:01:00 The following CA/Certificate entries are expiring:
                              Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago
                              Certificate: webConfigurator default (386d44fb99181): Expired 5796 days ago
                              

                              We have always used port 389 for LDAP authentication.

                              Did the firewall swap attempt that trigger it? Is this related to our issue?

                              V 1 Reply Last reply May 6, 2021, 12:19 PM Reply Quote 0
                              • V
                                viktor_g Netgate @adamw
                                last edited by May 6, 2021, 12:19 PM

                                @adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):

                                Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):

                                Notifications in this message: 1
                                ================================
                                
                                3:01:00 The following CA/Certificate entries are expiring:
                                Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago
                                Certificate: webConfigurator default (386d44fb99181): Expired 5796 days ago
                                

                                We have always used port 389 for LDAP authentication.

                                Did the firewall swap attempt that trigger it? Is this related to our issue?

                                Is this a Netgate appliance?
                                Please update to the latest pfSense version or apply patch from the https://redmine.pfsense.org/issues/11504

                                A 1 Reply Last reply May 6, 2021, 2:39 PM Reply Quote 0
                                • V
                                  viktor_g Netgate @adamw
                                  last edited by May 6, 2021, 1:07 PM

                                  @adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):

                                  @viktor_g

                                  I've messaged you my settings in a chat.

                                  I'll check it,
                                  but nothing special at first glance..

                                  They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.

                                  New settings or defaults perhaps?

                                  When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:

                                  • Shell Authentication Group DN

                                  Related to "LDAP authentication for SSH users":
                                  https://redmine.pfsense.org/issues/8698

                                  • Allow unauthenticated bind

                                  MS AD issue(feature?)
                                  See https://redmine.pfsense.org/issues/9909

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    adamw @viktor_g
                                    last edited by adamw May 6, 2021, 2:40 PM May 6, 2021, 2:39 PM

                                    @viktor_g

                                    Yes, we have 3 x Netgate SG-3100. TBH I didn't realise the CPU was 32 bit, not 64.

                                    I think I'll wait with an update as it doesn't cause any practical issues and only sends that alert. I was just wondering if it's directly related but seems like it's not.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      adamw
                                      last edited by adamw Apr 20, 2022, 8:23 AM Apr 19, 2022, 4:48 PM

                                      Still an issue in 22.01 (pfSense+). The same workaround applies i.e. turning off "Extended Query" in LDAP authentication.
                                      Still not ideal since it doesn't allow fine grain control over which AD users are allowed to use OpenVPN service.

                                      Has anybody come up with a better workaround?
                                      Would it make sense to use Client Specific Overrides option for access restriction?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        [[user:consent.lead]]
                                        [[user:consent.not_received]]