Active Directory LDAP Unable to Authenticate
-
I'm having a really hard time getting LDAP working with Active Directory. For testing purposes I have set the following registry keys on the LDAP server
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters --> LDAPServerIntegrity = 0
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters --> ldapenforcechannelbinding =0It looks like these settings took effect as I’m getting all kinds of warning in the even log about LDAP being unsecure. I’m going for the simplest setup just as a proof of concept.
On pfSense I have LDAP setup as follows:
I have tried to follow the template here: https://docs.netgate.com/pfsense/en/latest/recipes/external-authentication.html
Descriptive Name: Company AD Type: LDAP Hostname or IP Address 172.22.1.1 Port: 389 Transport: TCP - Standard Protocol Version: 3 Search Scope: Entire Subtree DC=lan,DC=company,DC=com Authentication Containers CN=Users,DC=lan,DC=company,DC=com Extended Query: memberOf=CN=VPNUsers,CN=Users,DC=lan,DC=company,DC=com Bind anonymous: [ ] Use anonymous binds to resolve distinguished names Group Naming Attribute: cn Group Member Attribute: memberOfThe pfsense log shows:
Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: ERROR! Could not bind to LDAP server company AD. Please check the bind credentials. Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: LDAP connection error flag: false Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Group Filter: Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Filter: (&(samaccountname=testuser)(memberOf=CN=VPNUsers,CN=Builtin,DC=lan,DC=company,DC=com)) Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Extended Query: memberOf=CN=VPNUsers,CN=Builtin,DC=lan,DC=company,DC=com Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Attrs: Name: samaccountname / Group: memberOf Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Container: CN=Users,DC=lan,DC=company,DC=com Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Auth Bind DN: admin Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Scope: subtree Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Base DN: OU=Users,DC=lan,DC=company,DC=com Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: URI: ldap://server.lan.company.com:389 (v3) Sep 2 09:30:26 php-fpm 398 /diag_authentication.php: LDAP Debug: Attempting to authenticate testuser on company ADI’m a LDAP novice. Any clues would be appreciated.
-
@Kajetan321 said in Active Directory LDAP Unable to Authenticate:
ERROR! Could not bind to LDAP server company AD. Please check the bind credentials.
As the log is pointing out, check the AD bind credentials.
You can create a user just for that purpose.
Don't use administrator. -
@mcury Thank you for posting. I tried a per-existing non admin account, no change. I then created a brand new non admin account, same thing, no change.
I Googled around and found some pertinent articles/posts. Here they are in case anyone else is facing a similar issue,
https://serverfault.com/questions/925725/pfsense-unable-to-ldap-bind-to-active-directory-server https://www.informaticar.net/connect-pfsense-with-ad/ https://techexpert.tips/pfsense/pfsense-active-directory-authentication-ldap-over-ssl/?utm_source=reddit&utm_content=postI'd like to add that I have LDAP integration working with XCP-ng, here is the config file:
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com BASE OU=Accounts,DC=lan,DC=company,DC=com #URI ldap://ldap.example.com ldap://ldap-provider.example.com:666 URI ldaps://server.lan.company.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/company_root.pem -
@mcury The mistake I was making was to enter the username just as straight text, ie "pfsense". When I switched to "CN=pfSense,CN=Users,DC=lan,DC=company,DC=com" the bind authentication started working.
The authentication appears to be working. Now on to making it secure.
Thanks for posting the screen shot.