LDAP (MS AD) error- Could not connect to server.

swinster · Sep 23, 2022, 2:29 PM

Hi,

Pfsense v2.6

I seem to be having a basic connection issue when attempting to configure an LDAP server, but for the life of me I cannot figure out what it might be.

The LDAP server is a Microsoft Domain Controller, which is routable from the pfsense box, both using its direct IP address and DNS FQDN (tested using a simple ping, "Diagnostics --> Ping"). However, when I configure the LDAP server via "System --> User Manager --> Authentication Servers", even using the most basic TCP connection, pfsense will simple not connect to the DC. Running a PCAP on the LAN interface shows that no connection is attempted, so I end up with an error in the logs:

/system_authservers.php: ERROR! Could not connect to server.

When configuring the LDAP server, clicking the "Select a container" button results in a massage at the bottom of the page:

Could not connect to the LDAP server. Please check the LDAP configuration.

However, as mentioned, according to the PCAP taken on the LAN interface, no connection attempt was even made.

Cheers

swinster · Sep 23, 2022, 3:27 PM

Something interesting. Running ldapsearch from the command line results in an error with mismatched library files:

ldapsearch -H ldap://dc.mydomain.local:389 -D "CN=LDAP User,CN=Users,DC=mydomain,DC=local" -w "xxxx" -b "OU=Users,OU=MyBusiness,DC=mydomain,DC=local" "(sAMAccountName=me)"  

ldap_int_sasl_init: SASL library version mismatch: expected 2.1.28, got 2.1.27
ldapsearch: ldap_get_option(API_INFO) failed

I am not entirely sure how to resolve this.

stephenw10 · Sep 23, 2022, 3:58 PM

Hmm, 2.1.28 is the pfSense 2.7 (dev) version of that lib.

Make sure your update branch is set to latest stable.

Try running at the command line: pkg info cyrus-sasl
That should show you what you have currently.

Steve

swinster · Sep 23, 2022, 4:11 PM

@stephenw10 said in LDAP (MS AD) error- Could not connect to server.:

Hmm, 2.1.28 is the pfSense 2.7 (dev) version of that lib.

Make sure your update branch is set to latest stable.

Try running at the command line: pkg info cyrus-sasl
That should show you what you have currently.

Steve

OK, that makes some sense. I believe I upgraded to the dev branch to see if there was a change in another issue, then immediately downgraded back to the stable branch. I guess this package was downgraded, however, a reference was left unaltered?

The result of that package info is:

cyrus-sasl-2.1.27_2
Name           : cyrus-sasl
Version        : 2.1.27_2
Installed on   : Wed Feb 16 20:47:45 2022 GMT
Origin         : security/cyrus-sasl2
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : security
Licenses       : BSD4CLAUSE
Maintainer     : ume@FreeBSD.org
WWW            : https://www.cyrusimap.org/sasl/
Comment        : RFC 2222 SASL (Simple Authentication and Security Layer)
Options        :
        ALWAYSTRUE     : off
        ANONYMOUS      : on
        AUTHDAEMOND    : on
        BDB            : off
        BDB1           : on
        CRAM           : on
        DIGEST         : on
        DOCS           : off
        GDBM           : off
        KEEP_DB_OPEN   : off
        LMDB           : off
        LOGIN          : on
        NTLM           : on
        OBSOLETE_CRAM_ATTR: on
        OBSOLETE_DIGEST_ATTR: on
        OTP            : on
        PLAIN          : on
        SCRAM          : on
Shared Libs provided:
        libscram.so.3
        libsasldb.so.3
        libsasl2.so.3
        libplain.so.3
        libotp.so.3
        libntlm.so.3
        liblogin.so.3
        libdigestmd5.so.3
        libcrammd5.so.3
        libanonymous.so.3
Annotations    :
        FreeBSD_version: 1203500
        build_timestamp: 2022-01-12T15:23:42+0000
        built_by       : poudriere-git-3.3.99.20211130
        cpe            : cpe:2.3:a:cmu:cyrus-sasl:2.1.27:::::freebsd12:x64:2
        port_checkout_unclean: no
        port_git_hash  : 17b54ce76328
        ports_top_checkout_unclean: yes
        ports_top_git_hash: 7046b65c0d41
        repo_type      : binary
        repository     : pfSense
Flat size      : 1.29MiB
Description    :
The Cyrus SASL (Simple Authentication and Security Layer)

SASL is the Simple Authentication and Security Layer, a method
for adding authentication support to connection-based protocols.
To use SASL, a protocol includes a command for identifying and
authenticating a user to a server and for optionally negotiating
protection of subsequent protocol interactions. If its use is
negotiated, a security layer is inserted between the protocol
and the connection.

WWW: https://www.cyrusimap.org/sasl/

swinster · Sep 23, 2022, 4:10 PM

This is how things are currently:

stephenw10 · Sep 23, 2022, 4:16 PM

Hmm, how did you downgrade? That's not something you can normally do. Especially between 2.7 and 2.6 because of the FreeBSD base change.

Something on your system has pulled in a newer version. At this point it's hard to say what might be broken. Is this a firewall you can reinstall clean and restore the config to? I would do that if you can to be sure it's cleanly on 2.6.

Steve

swinster · Sep 23, 2022, 4:27 PM

@stephenw10 - I simply switched the branch from dev back to stable :)

swinster · Sep 23, 2022, 4:29 PM

TBH, I don't mind running on a dev branch. I have only had one major problem previously with pfsense, although that was some time ago.

stephenw10 · Sep 23, 2022, 5:00 PM

Bare in mind that CE snapshots built on FreeBSD 14 were only made public yesterday. There are known issues there currently and no doubt unknown issues too. I would not recommend anyone use the dev branch for anything but testing for a while yet.

Steve

swinster · Sep 24, 2022, 1:33 PM

@stephenw10 no worries. As far as I'm concerned, there is nothing to lose here. If I am going to re-flash the pfSense box with 2.6, then I thought I might as well attempt the update to 2.7.x first and test what's there. This is only a small private network and software/network support is my thing, so no loss either way.

FWIW, the upgrade to 2.7 was not super smooth. The update was effective but during the initial reboot, the system did not come back online automatically. After powering down the box and rebooting, the system came up as expected. Whilst this is outside the scope of this thread, if there are any logs or feedback I can provide, please let me know.

On the plus side, the LDAP connection is now functional again :).

stephenw10 · Sep 24, 2022, 2:42 PM

Hmm, interesting. The upgrade log is retained in /conf. It may show something, though if it was at the reboot it may not have been logging at that point.

Steve

swinster · Sep 25, 2022, 10:06 AM

@stephenw10 said in LDAP (MS AD) error- Could not connect to server.:

/conf

FYI, I have included the upgrade_log.latest.txt file below. FWIW, upgrade_log.txt was updated just now when I logged in (I guess due to the auto-refresh on the dashboard), which contained only :

>>> Updating repositories metadata... done.
Your system is up to date

The upgrade_log.latest.txt file contains several Warnings, mainly relating to array manipulations within Command.php and Role.php, followed by a failure notification:

XML Extension not found
pkg-static: POST-INSTALL script failed

At the very end of the log file, some fatal errors have been logged, although this seems to relate to the Squid package.

Fatal error: Array and string offset access syntax with curly braces is no longer supported in /usr/local/pkg/squid.inc on line 852
PHP ERROR: Type: 64, File: /usr/local/pkg/squid.inc, Line: 852, Message: Array and string offset access syntax with curly braces is no longer supportedpkg-static: DEINSTALL script failed
pkg-static: Fail to kill all processes:No such process

upgrade_log.latest.txt

stephenw10 · Sep 25, 2022, 12:40 PM

Ah, yes the Squid package has probably not yet been adapted to php 8.1. I would expect it to throw errors like that until it's updated.