• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot Log in with LDAP even though LDAP Connection Works

Scheduled Pinned Locked Moved General pfSense Questions
7 Posts 3 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    ogijaoh
    last edited by Jun 1, 2023, 6:15 PM

    We have set up an LDAP connection and have been using it for pfSense GUI access/admin tasks for several months. As of a couple days ago, we get a "Incorrect Username or Password" error when using our LDAP account credentials to log in to the GUI. We have checked our username/passwords, group names, etc. on other systems connected to LDAP and they are correct. We have checked the Authentication Server settings and nothing has changed there. We checked the pfSense to LDAP connection using the Diagnostics > Authentication page, and that works (it even immediately picks up group changes made in LDAP).

    We are still unable to log in to the GUI using our LDAP accounts. We have upgraded, rebooted, and restarted the Web Configurator. Still not working.

    M B 2 Replies Last reply Jun 1, 2023, 6:41 PM Reply Quote 0
    • M
      michmoor LAYER 8 Rebel Alliance @ogijaoh
      last edited by Jun 1, 2023, 6:41 PM

      @ogijaoh what do the LDAP logs show?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      O 1 Reply Last reply Jun 1, 2023, 7:41 PM Reply Quote 0
      • O
        ogijaoh @michmoor
        last edited by Jun 1, 2023, 7:41 PM

        @michmoor Here's what we've seen in the logs:

        System Logs > Authentication
        When we turn on debug logs on the Diagnostics > Authentication and test the LDAP connection we see the following:

        2023-06-01 17:47:13.066759+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Logged in successfully as user.name via LDAP server idmsvr server with DN...
2023-06-01 17:47:13.060694+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Now searching in server idmsvr server, container cn=...
2023-06-01 17:47:13.060225+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Now Searching for user.name in directory.
2023-06-01 17:47:13.051403+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: LDAP connection error flag: false
2023-06-01 17:47:13.051041+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Group Filter:
2023-06-01 17:47:13.050999+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Filter: (uid=user.name)
2023-06-01 17:47:13.050908+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Attrs: Name: ... / Group: ...
2023-06-01 17:47:13.050870+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Container: cn=...
2023-06-01 17:47:13.050830+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Auth Bind DN: uid=...
2023-06-01 17:47:13.050781+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Scope: subtree
2023-06-01 17:47:13.050742+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Base DN: dc=...
2023-06-01 17:47:13.050692+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: URI: ldap://...
2023-06-01 17:47:13.050483+00:00	php-fpm	1896	/diag_authentication.php: LDAP Debug: Attempting to authenticate ... on ... server

        So things look good for the test. Then when we attempt to log in to the pfSense with the same user.name and password we get the following log:

        2023-06-01 17:54:14.800680+00:00	php-fpm	1897	/index.php: webConfigurator authentication error for user 'user.name' from: ...

        If you have suggestions of other logs to check, we can do that.

        M 1 Reply Last reply Jun 1, 2023, 7:58 PM Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @ogijaoh
          last edited by Jun 1, 2023, 7:58 PM

          @ogijaoh So the last message at the top shows you have a successful auth attempt so thats good.
          In order for the pfSense GUI to log you in, the user has to be a member of a group and that group must also exist in the GUI - group matching is done.
          So for example, i created a group within LDAP called 'firewall_admins"
          I then created a group on the pfSense GUI called "firewall_admins".
          When i test my Auth servers it shows i am a member of that group. See below. Are you getting that as well?

          cbbe263a-7b2b-48db-bf10-25c334d76bff-image.png

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          O 1 Reply Last reply Jun 1, 2023, 8:05 PM Reply Quote 0
          • O
            ogijaoh @michmoor
            last edited by Jun 1, 2023, 8:05 PM

            @michmoor Yes, we see what you are seeing (but with our group names). We also added and removed groups in LDAP and saw those changes reflected immediately in the Diagnostics > Authentication page you show.

            We have been successfully logging in with our LDAP accounts for months, and it just quit working one day. We checked group names in the pfSense to make sure they were still matching the group names in the LDAP server.

            Nothing seems to work. Maybe we need to delete / recreate the group on the pfSense side, just to make sure it is processing correctly? But that seems like blindly changing things for no reason until it works, so we don't want to do that.

            1 Reply Last reply Reply Quote 0
            • B
              BetoCeni @ogijaoh
              last edited by Mar 24, 2025, 1:08 PM

              @ogijaoh I had a similar problem. This hapened after forcefuly changing my AD FSMO roles from a dead PDC to a secondary DC.

              I could login using Diagnostics>Authentication, but not on the actual login, page it would always say "Wrong Username or Password".

              After a lot of digging and AI usage, I also found no help.

              After fiddling with the settings, one day I tried the System>User Manager>Settings>Auth Refresh Time. So I inserted 30 seconds to the cache time, clicked save and test, got green messages everywhere. Went back to login screen and logged successfuly. Aparently an error related to cache was my problem, I hope it is your problem aswell. Good Luck!

              1 Reply Last reply Reply Quote 1
              • O
                ogijaoh
                last edited by Mar 29, 2025, 9:50 PM

                Thanks for the contributions, all. We ended up switching between authentication settings (from LDAP to local) and then back (from local to LDAP), and that seemed to fix the problem.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received