Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Active Directory LDAP Unable to Authenticate

    General pfSense Questions
    2
    4
    881
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kajetan321
      last edited by

      I'm having a really hard time getting LDAP working with Active Directory. For testing purposes I have set the following registry keys on the LDAP server

      HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters --> LDAPServerIntegrity = 0
      HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters --> ldapenforcechannelbinding =0

      It looks like these settings took effect as I’m getting all kinds of warning in the even log about LDAP being unsecure. I’m going for the simplest setup just as a proof of concept.

      On pfSense I have LDAP setup as follows:

      I have tried to follow the template here: https://docs.netgate.com/pfsense/en/latest/recipes/external-authentication.html

      Descriptive Name:		Company AD
Type:				LDAP
Hostname or IP Address          172.22.1.1
Port:				389		
Transport:			TCP - Standard
Protocol Version:		3
Search Scope:			Entire Subtree
				DC=lan,DC=company,DC=com
Authentication Containers	CN=Users,DC=lan,DC=company,DC=com

Extended Query:			memberOf=CN=VPNUsers,CN=Users,DC=lan,DC=company,DC=com				
Bind anonymous:		        [ ] Use anonymous binds to resolve distinguished names

Group Naming Attribute:		cn
Group Member Attribute:		memberOf

      The pfsense log shows:

      Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: ERROR! Could not bind to LDAP server company AD. Please check the bind credentials.
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: LDAP connection error flag: false
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Group Filter:
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Filter: (&(samaccountname=testuser)(memberOf=CN=VPNUsers,CN=Builtin,DC=lan,DC=company,DC=com))
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Extended Query: memberOf=CN=VPNUsers,CN=Builtin,DC=lan,DC=company,DC=com
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Attrs: Name: samaccountname / Group: memberOf
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Container: CN=Users,DC=lan,DC=company,DC=com
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Auth Bind DN: admin
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Scope: subtree
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Base DN: OU=Users,DC=lan,DC=company,DC=com
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: URI: ldap://server.lan.company.com:389 (v3)
Sep 2 09:30:26 	php-fpm 	398 	/diag_authentication.php: LDAP Debug: Attempting to authenticate testuser on company AD

      I’m a LDAP novice. Any clues would be appreciated.

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury @Kajetan321
        last edited by mcury

        @Kajetan321 said in Active Directory LDAP Unable to Authenticate:

        ERROR! Could not bind to LDAP server company AD. Please check the bind credentials.

        As the log is pointing out, check the AD bind credentials.

        45adb974-7e97-489a-9337-53df09d76422-image.png

        You can create a user just for that purpose.
        Don't use administrator.

        dead on arrival, nowhere to be found.

        K 2 Replies Last reply Reply Quote 1
        • K
          Kajetan321 @mcury
          last edited by Kajetan321

          @mcury Thank you for posting. I tried a per-existing non admin account, no change. I then created a brand new non admin account, same thing, no change.

          I Googled around and found some pertinent articles/posts. Here they are in case anyone else is facing a similar issue,

          https://serverfault.com/questions/925725/pfsense-unable-to-ldap-bind-to-active-directory-server
https://www.informaticar.net/connect-pfsense-with-ad/
https://techexpert.tips/pfsense/pfsense-active-directory-authentication-ldap-over-ssl/?utm_source=reddit&utm_content=post

          I'd like to add that I have LDAP integration working with XCP-ng, here is the config file:

          #
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
BASE   OU=Accounts,DC=lan,DC=company,DC=com

#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666
URI    ldaps://server.lan.company.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/company_root.pem
          1 Reply Last reply Reply Quote 0
          • K
            Kajetan321 @mcury
            last edited by Kajetan321

            @mcury The mistake I was making was to enter the username just as straight text, ie "pfsense". When I switched to "CN=pfSense,CN=Users,DC=lan,DC=company,DC=com" the bind authentication started working.

            The authentication appears to be working. Now on to making it secure.

            Thanks for posting the screen shot.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.