Authentication Server (LDAP) Missing Client Certificate Option

stephenw10 · Mar 15, 2022, 8:58 PM

For logging into pfSense itself the authentication will fall back to the local database if the LDAP server is unreachable.

For some types of login, like OpenVPN, you can select multiple authentication backends and it will try each in turn.

Steve

mrnb · Mar 15, 2022, 9:20 PM

@stephenw10

We have a HA Stack setup.

I was able to successfully change the authentication server to LDAP and login using LDAP credentials.

However, after doing this, I was no longer able to login to the secondary pfsense with LDAP or local credentials (which I expected).

Then I went to the primary router and changed from LDAP to Local Database authentication, to see if switching back will resolve the issue, but I am still unable to log in to the secondary router.

I am unable to log in to the secondary pfsense with any authentication mechanism now.

Any idea what I did wrong and what I can do to fix this issue?

P.S. I had been checking the settings on the secondary server frequently to compare to the primary server and it looked like the configuration was being transferred properly.

stephenw10 · Mar 16, 2022, 2:13 PM

Was LDAP authentication working on the secondary before you enabled it for local login?

You should still be able to login as root/admin on the secondary. Been a while but I'm pretty sure that's always local.

Steve

mrnb · Mar 16, 2022, 2:14 PM

@stephenw10

I did the LDAP Authentication test on both routers prior to switching and it was successful on both.

At this time, both authentication mechanisms work on the primary router, but none work anymore on the secondary router. I assume when I switch the authentication mechanism on the primary, the secondary switches as well. Regardless of what I set on the primary, none of the mechanisms works on the secondary, even with the admin credential.

stephenw10 · Mar 16, 2022, 2:20 PM

Hmm, it may have broken the sync user auth if that was not using admin.

You should be able to revert that change at the console on the seocndary.

Steve

mrnb · Mar 16, 2022, 2:35 PM

@stephenw10

Sorry about my constant questioning, but you are you suggesting to choose option 3) Rest webConfigurator password?

Will that also reset the authentication server to local database?

mrnb · Mar 16, 2022, 3:07 PM

@stephenw10
Reset webConfigurator password did not work. I am still unable to log in.

However, restarting webConfigurator after the reset did work.

Okay thanks, now I know how to recover from this issue. I'll see what I can do about getting this to work.

mrnb · Mar 16, 2022, 3:15 PM

@mrnb

I don't know what happened before, but I think something goes wrong when changing the Authentication server from the primary and allowing the configuration to sync.

I enabled LDAP authentication on the secondary FIRST, and tested it, then on the primary SECOND, and tested it and now both work just fine.

stephenw10 · Mar 16, 2022, 3:17 PM

Well I was actually suggesting using option 15 to roll back the last changes but knowing it can be fixed by restarting the web service is a better result!
If you see it again you might also try restarting php since the LDAP config is highly dependent on that. It's recommended to the restart php after making changes to LDAP to remove any cached values for example.

Steve

mrnb · Mar 16, 2022, 3:21 PM

@stephenw10

Ahh, I see, good to know, thanks!