Using stunnel with Google LDAP

regexaurus · Feb 12, 2025, 9:47 PM

Hi,

I'm not yet having success getting stunnel working with Google (Workspace) LDAP. I'm trying to connect a Toshiba e-Studio 4515AC MFD, which doesn't appear to offer the required certificate/key authentication to access Google LDAP. I followed steps 1-3 here, to add/enable LDAP access in our Google Workspace, and generate/download a certificate.
I imported the generated certificate (including private key) to pfSense.

I installed, enabled, and configured the stunnel package:

Description: Google Workspace LDAP
Client Mode: Checked
Listen on IP: LAN IP
Listen on Port: 1636
Certificate: Google Workspace LDAP Key
Redirects to IP: ldap.google.com
Redirects to Port: 636

So I more or less followed stunnel configuration in Step 2 here. I'm not sure about cert/key selection/config. Under the Certificate drop-down selector for stunnel config, is the text/note: "Select server certificate to use for this tunnel." I'm wondering if the purpose of a certificate selected in this drop-down is for TLS connections to stunnel, not for stunnel to use for secure client connections to a remote server... If so, is there a way to use stunnel configuration Custom Options to specify a cert/key to use for client connection to remote server? Perhaps the cert= and key= options as shown at the "Step 2" link above?
Firewall rules allow port 1636 access on LAN IP/interface. The Toshiba e-Studio LDAP client is configured to connect to the pfSense LAN IP on port 1636 (no SSL/TLS). When I click Execute beside "Connection Test" in the e-Studio LDAP client settings, I immediately see "Failed to connect. Check the following setting. Server IP Address, Port Number, Enable SSL/TLS, SSL/TLS Port Number." I'm not finding helpful or extraordinary stunnel log entries.
I would appreciate your suggestions for troubleshooting and/or approach. Thank you!

regexaurus · Feb 17, 2025, 5:48 PM

In case it's helpful, I'm running pfSense CE 2.7.2. Since my original post, I came upon this in the docs:

Authenticating Users with Google Cloud Identity which includes, "...please note that the LDAP application credentials (username and password) are required."

I'm not sure if this requirement is specific to using Google Cloud Identity LDAP for pfSense authentication, but I generated access credentials for the LDAP client I had added in my Google Workspace.

Then in my Toshiba MFD LDAP Client settings, I changed Authentication to Simple Bind and entered the username and password from the generated access credentials and saved my changes. Executing a connection test from the Toshiba MFD still results in a quick, "Failed to connect."

This time I ran a couple packet captures in pfSense. I see packets from/to the Toshiba MFD on port 1636, and I see packets between pfSense and 216.239.32.58 (ldap.google.com). For one packet (protocol TLSv1) from pfSense to 216.239.32.58, status/info is "Ignored Unknown Record." Soon after, I see a packet from 216.239.32.58 to pfSense (protocol TLSv1), with status/info "Alert (Level: Fatal, Description: Protocol Version)."

regexaurus · Feb 17, 2025, 10:53 PM

After clearing the Protocol field in stunnel config, which I had originally set to ldap, saving the change, and restarting stunnel service, executing a connection test from the Toshiba MFD was successful.
And after adding the Google Workspace server entry in the Toshiba MFD LDAP Client settings as a directory/service option (click Server Assignment button, also in MFD LDAP Client settings), Google Workspace directory searches from the Toshiba MFD are working as expected.