• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Authentication fails when multiple different ldap source (server, bind user and users database) are configured

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 2 Posters 304 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gvecchi
    last edited by Dec 5, 2023, 2:21 PM

    Hello everyone,

    I'm looking for feedback about bug #15060
    This is my scenario:

    • brand new pfSense+ system deployed as AWS AMI (AMI ID: ami-0e1a56989ef6d9eb2, AMI Name: pfSense-plus-ec2-23.09-RELEASE-amd64 23-d6a66a49-ceec-4a27-ad5b-ea8a3eb55b15) with singe ENI and a EIP
    • 2 different ldap source configured in 2 different Authentication Servers:
      • Authentication Server #1 is an AWS Managed Microsoft AD, a NLB with a TLS Listener with certificate signed by our internal CA is configured in order to get LDAPS (see this AWS blog post for details)
      • Authentication Server #2 is the Okta LDAP interface of our preview tenant
      • LDAPS is in place for both Authentication Servers
      • Search scope, Authentication containers, Bind credentials, User naming attribute and Group Object Class differ between the 2 Authentication Servers

    Steps to reproduce the issue:

    • configure Authentication Server #1
    • Authentication Server #1 configuration successfully tested with Diagnostic > Authentication
    • configure Authentication Server #2
    • Authentication Server #2 configuration successfully tested with Diagnostic > Authentication
    • testing again Authentication Server #1 with Diagnostic > Authentication will fail with error "Could not bind to LDAP server Authentication Server #1"
    • delete Authentication Server #2
    • testing again Authentication Server #1 with Diagnostic -> Authentication will succeed

    The issue is reboot resistant.

    I suspect the following

    • pfSense+ system is somewhere messing up Bind Credentials and/or Certificate validation
    • issue is agnostic to database engine

    I'm unable to run test without TLS/SSL configuration because of the scenario: could anyone reproduce the issue, maybe without LDAPS configuration also in order to understand the root cause?

    Thanks

    1 Reply Last reply Reply Quote 0
    • G
      gvecchi
      last edited by Dec 5, 2023, 3:00 PM

      Update: I run Packet capture and it seems a random failure on CA verification on both Authentication Server:

      authentication-test_010.jpg

      authentication-test_011.jpg

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Dec 5, 2023, 3:24 PM

        Can we assume each of them works correctly if the other is disabled?

        G 1 Reply Last reply Dec 5, 2023, 3:29 PM Reply Quote 0
        • G
          gvecchi @stephenw10
          last edited by Dec 5, 2023, 3:29 PM

          @stephenw10 I didn't find any options in System/User Manager/Authentication Servers to keep them both configured but one enabled and one disabled.
          I confirm that they both work if there is only one configured at time

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received