LDAPS 636 problems with pfsense

Paolo Scagnetti

Hi to All,

Today for a VA i have needed to configure LDAPS for the Management and VPN autentication on my firewall Pfsense 2.8
I Also have imported the CA of the server inside my firewall but i have also after some stressfull test the same error:

Connection OK
Bind Failed

If i try some telnet and openssh test from pfsense all it's ok?
Any idea? i need LDAPS i cannot rollback to LDAP with 389

Thanks, Paolo

mcury

@Paolo-Scagnetti Did you restart PHP after changing to LDAPS?

https://docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html#restart-php-and-the-gui

Paolo Scagnetti

@mcury Yes, i have restarted the entire firewall, i have tried everything...
any idea?
I configured:
LDAP
636
SSL\TLS Encrypted

i set the hostname and hostname.domain.local same error.
if i try lpd.exe bind ok, also openssh by pfsense

mcury

@Paolo-Scagnetti

The CN of the CA matches the hostname you are using to connect?
Is the DNS resolving the hostname to the correct IP?
What about the bind credentials, confirmed working?

Paolo Scagnetti

@mcury
Yes DNS work perfectly i have also insert the override in dns forwarder.
I have tried with ldp.exe and bind works perfectly.

The CN of the CA is different from the Server DC hostname.
CA Cn: domain-SRV-DC-CA
DC hostname: srv-dc.domain.local

mcury

@Paolo-Scagnetti said in LDAPS 636 problems with pfsense:

The CN of the CA is different from the Server DC hostname.

If it not the CN, must be a SAN, or it won't work.

NOTE: When using SSL/TLS or STARTTLS, this hostname MUST match a Subject Alternative Name (SAN) or the Common Name (CN) of the LDAP server SSL/TLS Certificate.

Paolo Scagnetti

@mcury
Ok I need to recreate the CA certificate with the SAN of the domain controller extended correct ?
Thanks !!
1 hour and I will try

Paolo Scagnetti

Hi,

I have reconfigured CA with CN and SAN of my srv-dc.dominio.local
Same error connection OK bind Failed
I have imported thx .pfx of the server certificate and the CA.
It's only needed the CA?

Thanks, Paolo

mcury

@Paolo-Scagnetti said in LDAPS 636 problems with pfsense:

It's only needed the CA?

Yes, only the CA is needed.

Try to disable LDAPS for a moment, just to see if the bind will work.
I'm using LDAPS in pfSense and it is working perfectly.

Connecting to a samba domain.

Paolo Scagnetti

@mcury
I changed back to 389 and same problem now, BIND failed connection ok.
I have configured 60-70 pfsense without any problem in LDAPS
I have windows serevr 2025 and also disable LDAP required signing.