Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to authenticate users over authentication server LDAP (upgrade 2.5.0)

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Marco Aurelio Costa
      last edited by

      Hi there,

      I've been set up an LDAP authentication server for remote user authentication (OpenVPN users). Everything worked fine on 2.4.4 and 2.4.5 versions.
      Once I upgrade to version 2.5.0, my authentications server does not work anymore. I was testing with LDAPS and LDAP (389) and fails too.

      I use LDAPS authentication against Microsoft AD (port 636). I was testing my LDAPS configuration with other tools (e.g. apache management studio) and works fine.

      Anyone with a similar issue, or could help me with this issue?

      Thanks!

      M viktor_gV 3 Replies Last reply Reply Quote 0
      • M
        marcio.oliveira @Marco Aurelio Costa
        last edited by

        @marco-aurelio-costa Did you fix it? I'm having the same problem?

        M 1 Reply Last reply Reply Quote 0
        • M
          marcio.oliveira @Marco Aurelio Costa
          last edited by

          @marco-aurelio-costa Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/

          1 Reply Last reply Reply Quote 2
          • viktor_gV
            viktor_g Netgate @Marco Aurelio Costa
            last edited by

            @marco-aurelio-costa You could try to apply Patch ID be444914b22fd4722c9df1e1139b6e2d7d1618b9

            see https://redmine.pfsense.org/issues/4521

            adamwA 1 Reply Last reply Reply Quote 1
            • adamwA
              adamw @viktor_g
              last edited by

              @viktor_g

              Having same LDAP authentication issue after upgrading from 2.4.5-p1 to 21.02.2:

              May  5 08:12:14 pfsense openvpn[78072]: user 'user1' could not authenticate.
              

              Unchecking "Extended Query" also does the trick for me in a sense of /diag_authentication.php test passing (which otherwise fails).

              Not a real solution though as in my "Extended Query" I require for a user to be a member of a specific group in order to use OpenVPN:

              memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk

              What's the bottom line of this? A bug? Missing functionality? Is it expected to start working in the next 21.x release?

              viktor_gV M 2 Replies Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate @adamw
                last edited by

                @adamw Could you provide more info about your pfSense LDAP configuration and LDAP schema?

                It works fine for me with Windows AD / FreeIPA LDAP authentication.

                adamwA 1 Reply Last reply Reply Quote 0
                • M
                  Marco Aurelio Costa @marcio.oliveira
                  last edited by

                  @marcio-oliveira Many other issues have appeared when in the upgrade to the latest version. So, the quick solution was to downgrade to the latest stable version.

                  1 Reply Last reply Reply Quote 0
                  • M
                    marcio.oliveira @adamw
                    last edited by

                    @adamw Hi, I fixed unchecked "Extended Query" on System > User Manager > Authentication Servers \0/

                    adamwA 1 Reply Last reply Reply Quote 0
                    • adamwA
                      adamw @marcio.oliveira
                      last edited by

                      @marcio-oliveira

                      Not a good solution, I need to use my extended query.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        marcio.oliveira @adamw
                        last edited by

                        @adamw did you tried?I need to use my query too. When I disabled this option my query begin work.

                        adamwA 1 Reply Last reply Reply Quote 0
                        • adamwA
                          adamw @marcio.oliveira
                          last edited by

                          @marcio-oliveira
                          No, I haven't tried going live with it.

                          All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".

                          Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            marcio.oliveira @adamw
                            last edited by

                            @adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):

                            No, I haven't tried going live with it.
                            All I have verified is my LDAP authentication test (/diag_authentication.php) on a spare firewall started passing after unchecking "extended query".
                            Are you saying that even after unchecking the box my extended query (memberOf=CN=vpnuser,CN=Users,DC=domain,DC=co,DC=uk) will still be applied and honoured?

                            Yes, I'm!

                            1 Reply Last reply Reply Quote 0
                            • adamwA
                              adamw @viktor_g
                              last edited by

                              @viktor_g

                              I've messaged you my settings in a chat.

                              They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.

                              New settings or defaults perhaps?

                              When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:

                              • Shell Authentication Group DN
                              • Allow unauthenticated bind
                              adamwA viktor_gV 2 Replies Last reply Reply Quote 0
                              • adamwA
                                adamw @adamw
                                last edited by

                                Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):

                                Notifications in this message: 1
                                ================================
                                
                                3:01:00 The following CA/Certificate entries are expiring:
                                Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago
                                Certificate: webConfigurator default (386d44fb99181): Expired 5796 days ago
                                

                                We have always used port 389 for LDAP authentication.

                                Did the firewall swap attempt that trigger it? Is this related to our issue?

                                viktor_gV 1 Reply Last reply Reply Quote 0
                                • viktor_gV
                                  viktor_g Netgate @adamw
                                  last edited by

                                  @adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):

                                  Last night our old 2.4.5-p1 firewall send the following message (which I have never seen before):

                                  Notifications in this message: 1
                                  ================================
                                  
                                  3:01:00 The following CA/Certificate entries are expiring:
                                  Certificate Authority: LDAP ca-certificates samba (5c87911d15f99): Expired 2010 days ago
                                  Certificate: webConfigurator default (386d44fb99181): Expired 5796 days ago
                                  

                                  We have always used port 389 for LDAP authentication.

                                  Did the firewall swap attempt that trigger it? Is this related to our issue?

                                  Is this a Netgate appliance?
                                  Please update to the latest pfSense version or apply patch from the https://redmine.pfsense.org/issues/11504

                                  adamwA 1 Reply Last reply Reply Quote 0
                                  • viktor_gV
                                    viktor_g Netgate @adamw
                                    last edited by

                                    @adamw said in Unable to authenticate users over authentication server LDAP (upgrade 2.5.0):

                                    @viktor_g

                                    I've messaged you my settings in a chat.

                                    I'll check it,
                                    but nothing special at first glance..

                                    They have clearly been some changes here between 2.4.5-p1 and 21.02.2 that are causing this.

                                    New settings or defaults perhaps?

                                    When I add an authentications server in 2.4.5-p1 and 21.02.2 side by side I can see the following additions:

                                    • Shell Authentication Group DN

                                    Related to "LDAP authentication for SSH users":
                                    https://redmine.pfsense.org/issues/8698

                                    • Allow unauthenticated bind

                                    MS AD issue(feature?)
                                    See https://redmine.pfsense.org/issues/9909

                                    1 Reply Last reply Reply Quote 0
                                    • adamwA
                                      adamw @viktor_g
                                      last edited by adamw

                                      @viktor_g

                                      Yes, we have 3 x Netgate SG-3100. TBH I didn't realise the CPU was 32 bit, not 64.

                                      I think I'll wait with an update as it doesn't cause any practical issues and only sends that alert. I was just wondering if it's directly related but seems like it's not.

                                      1 Reply Last reply Reply Quote 0
                                      • adamwA
                                        adamw
                                        last edited by adamw

                                        Still an issue in 22.01 (pfSense+). The same workaround applies i.e. turning off "Extended Query" in LDAP authentication.
                                        Still not ideal since it doesn't allow fine grain control over which AD users are allowed to use OpenVPN service.

                                        Has anybody come up with a better workaround?
                                        Would it make sense to use Client Specific Overrides option for access restriction?

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.