Cannot Log in with LDAP even though LDAP Connection Works
-
We have set up an LDAP connection and have been using it for pfSense GUI access/admin tasks for several months. As of a couple days ago, we get a "Incorrect Username or Password" error when using our LDAP account credentials to log in to the GUI. We have checked our username/passwords, group names, etc. on other systems connected to LDAP and they are correct. We have checked the Authentication Server settings and nothing has changed there. We checked the pfSense to LDAP connection using the Diagnostics > Authentication page, and that works (it even immediately picks up group changes made in LDAP).
We are still unable to log in to the GUI using our LDAP accounts. We have upgraded, rebooted, and restarted the Web Configurator. Still not working.
-
@ogijaoh what do the LDAP logs show?
-
@michmoor Here's what we've seen in the logs:
System Logs > Authentication
When we turn on debug logs on the Diagnostics > Authentication and test the LDAP connection we see the following:2023-06-01 17:47:13.066759+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Logged in successfully as user.name via LDAP server idmsvr server with DN... 2023-06-01 17:47:13.060694+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Now searching in server idmsvr server, container cn=... 2023-06-01 17:47:13.060225+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Now Searching for user.name in directory. 2023-06-01 17:47:13.051403+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: LDAP connection error flag: false 2023-06-01 17:47:13.051041+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Group Filter: 2023-06-01 17:47:13.050999+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Filter: (uid=user.name) 2023-06-01 17:47:13.050908+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Attrs: Name: ... / Group: ... 2023-06-01 17:47:13.050870+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Container: cn=... 2023-06-01 17:47:13.050830+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Auth Bind DN: uid=... 2023-06-01 17:47:13.050781+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Scope: subtree 2023-06-01 17:47:13.050742+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Base DN: dc=... 2023-06-01 17:47:13.050692+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: URI: ldap://... 2023-06-01 17:47:13.050483+00:00 php-fpm 1896 /diag_authentication.php: LDAP Debug: Attempting to authenticate ... on ... serverSo things look good for the test. Then when we attempt to log in to the pfSense with the same user.name and password we get the following log:
2023-06-01 17:54:14.800680+00:00 php-fpm 1897 /index.php: webConfigurator authentication error for user 'user.name' from: ...If you have suggestions of other logs to check, we can do that.
-
@ogijaoh So the last message at the top shows you have a successful auth attempt so thats good.
In order for the pfSense GUI to log you in, the user has to be a member of a group and that group must also exist in the GUI - group matching is done.
So for example, i created a group within LDAP called 'firewall_admins"
I then created a group on the pfSense GUI called "firewall_admins".
When i test my Auth servers it shows i am a member of that group. See below. Are you getting that as well?
-
@michmoor Yes, we see what you are seeing (but with our group names). We also added and removed groups in LDAP and saw those changes reflected immediately in the Diagnostics > Authentication page you show.
We have been successfully logging in with our LDAP accounts for months, and it just quit working one day. We checked group names in the pfSense to make sure they were still matching the group names in the LDAP server.
Nothing seems to work. Maybe we need to delete / recreate the group on the pfSense side, just to make sure it is processing correctly? But that seems like blindly changing things for no reason until it works, so we don't want to do that.