Authentication inconsistent behaviour
-
Hi there,
I'm sorry I wasn't sure if I should post this on the general questions or WebGUI but here goes.
I have an LDAP server configured for authentication. The server is properly configured and if I go to "Diagnostics > Authentication and test the login against the LDAP server it returns successfully with the message:User <redacted> authenticated successfully. This user is a member of groups:
admins
Under User Manager the LDAP server is selected, there is a group named "admins" with scope "Remote"
When I try to login, I get an error:
May 14 13:20:52 php-fpm 56748 /index.php: webConfigurator authentication error for user 'redacted' from: redacted-ip-address
Is anyone else experiencing a similar issue? Not sure how to debug this further since I can authenticate every time under "Diagnostics"
-
What pfSense version are you testing in?
-
@stephenw10 26.03
Could it be because the LDAP group is also admins like the local admins group?
-
I wouldn't expect that to be an issue. The group names must be the same to inherit the permissions.
-
Then I'm completely clueless. I go to Diagnostics > Authentication, user works without issue, lists groups "admins"
I try to login on pfsense with that user, fails with wrong user/password. Every time -
Use another browser ?
-
@Gertjan I already tried that, same result. Primary browser is Safari and the alternative browser is Firefox.
-
Can you login with it in any other way? SSH, VPN, captive portal etc.
Anything logged in the ldap server?
-
@stephenw10 no VPN is also failing authentication. Actually that is what caught my attention, I don't login to the pfsense so often, but after some update the mobile vpn auth stopped working. I only use the mobile VPN every once in a while so I can't pin down exactly when it stopped working.
For example just now I logged into the server going to the system logs I get this:
May 28 13:25:54 php-fpm 59435 ERROR [LDAP Auth] ldap_get_groups() could not bind to server IdM.
But then again, I go to Diagnostics > Authentication and:
This was just now.
Oh and another thing. When I fail the authentication on the pfSense login screen, the pfSense stops responding (get a "server stopped responding" error) I have to wait maybe like 5 or 10m to be able to try and login again.
EDIT
Just looked into System Logs > Authentication. I get this:May 28 12:39:26 sshguard 18161 192.168.X.Y: unblocking after 3763 secs
May 28 12:39:26 sshguard 18161 2001:etc:ip:v6:redacted: unblocking after 3966 secs
May 28 11:36:43 sshguard 18161 Blocking "192.168.X.Y/32" for 3600 secs (1 attacks in 0 secs, after 1 abuses over 0 secs.)
May 28 11:36:43 sshguard 18161 Attack from "192.168.X.Y" on service unknown service with danger 10. -
That's the 'sshgaurd' bonus : ones a failed login was registered in the logs, sshguard will block the offending IP for a while.
You, as the admin, can do something about it : System > Advanced > Admin Access an look for "Login Protection".
-
Yup you can add your own address there to prevent it being blocked during testing.
-
Well I appreciate that input but honestly I'd rather focus on the underlying problem. Regarding the sshguard protection, I think its a bit aggressive that ONE failed login locks the user out, should have at least like a three failed logins threshold but that option isn't available on the System > Advanced > Admin Access settings.
-
-
@Gertjan I'm sorry but you'll have to be more specific than that. I am aware of the login protection not sure what your point is.
And yes, ONE. Look at the logs I pasted just a couple of hours ago, or to save you the trouble:
May 28 11:36:43 sshguard 18161 Blocking "192.168.X.Y/32" for 3600 secs (1 attacks in 0 secs, after 1 abuses over 0 secs.)
ONE.
-
Yes if it's already locked you out before then one further failure will lock it again.
Yes, this seems unrelated to the LDAP failure, as a cause at least.
Are there any failure logs at the LDAP server end?
-
@stephenw10
I can spend 24 hours or 48 hours without attempting any login (in fact, that login was the first attempt of today since yesterday) and it will lock me out regardless.
I can stay away from the pfsense and attempt the login next week and I'll be locked out on the first login attempt.About the LDAP logs. This is a successful attempt on Diagnostics > Authentication:
[28/May/2026:15:52:54.954980062 +0100] conn=30812 fd=254 slot=254 SSL connection from 192.168.X.PFS to 192.168.X.LDAP [28/May/2026:15:52:54.968119309 +0100] conn=30812 TLS1.3 128-bit AES-GCM [28/May/2026:15:52:54.968672875 +0100] conn=30812 op=0 BIND dn="uid=binduser,cn=sysaccounts,cn=etc,dc=local,dc=domain,dc=net" method=128 version=3 [28/May/2026:15:52:55.492026098 +0100] conn=30812 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.012916712 optime=0.523391258 etime=0.536288432 dn="uid=binduser,cn=sysaccounts,cn=etc,dc=local,dc=domain,dc=net" [28/May/2026:15:52:55.492899658 +0100] conn=30812 op=1 SRCH base="cn=users,cn=accounts,dc=local,dc=domain,dc=net" scope=2 filter="(&(uid=myuser)(memberOf=cn=admins,cn=groups,cn=accounts,dc=local,dc=domain,dc=net))" attrs=ALL [28/May/2026:15:52:55.496654093 +0100] conn=30812 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000251009 optime=0.003753101 etime=0.003993513 [28/May/2026:15:52:55.498307777 +0100] conn=30812 op=2 BIND dn="uid=myuser,cn=users,cn=accounts,dc=local,dc=domain,dc=net" method=128 version=3 [28/May/2026:15:52:56.021312382 +0100] conn=30812 op=2 RESULT err=0 tag=97 nentries=0 wtime=0.000284321 optime=0.523072107 etime=0.523347927 dn="uid=myuser,cn=users,cn=accounts,dc=local,dc=domain,dc=net" [28/May/2026:15:52:56.022212090 +0100] conn=30812 op=3 UNBIND [28/May/2026:15:52:56.022318303 +0100] conn=30812 op=3 fd=254 Disconnect - Cleanly Closed Connection - U1 [28/May/2026:15:52:56.026008736 +0100] conn=30813 fd=255 slot=255 SSL connection from 192.168.X.PFS to 192.168.X.LDAP [28/May/2026:15:52:56.038712265 +0100] conn=30813 TLS1.3 128-bit AES-GCM [28/May/2026:15:52:56.039196472 +0100] conn=30813 op=0 BIND dn="uid=binduser,cn=sysaccounts,cn=etc,dc=local,dc=domain,dc=net" method=128 version=3 [28/May/2026:15:52:56.553395399 +0100] conn=30813 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.012490785 optime=0.514214050 etime=0.526663330 dn="uid=binduser,cn=sysaccounts,cn=etc,dc=local,dc=domain,dc=net" [28/May/2026:15:52:56.554499094 +0100] conn=30813 op=1 SRCH base="uid=myuser,cn=users,cn=accounts,dc=local,dc=domain,dc=net" scope=2 filter="(uid=myuser)" attrs="memberOf" [28/May/2026:15:52:56.556075078 +0100] conn=30813 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000372091 optime=0.001483212 etime=0.001795039 [28/May/2026:15:52:56.557113575 +0100] conn=30813 op=2 UNBIND [28/May/2026:15:52:56.557160552 +0100] conn=30813 op=2 fd=255 Disconnect - Cleanly Closed Connection - U1This is when I try to login via GUI:
[28/May/2026:15:57:30.319017698 +0100] conn=30820 fd=248 slot=248 SSL connection from 192.168.X.PFS to 192.168.X.LDAP [28/May/2026:15:57:30.332511100 +0100] conn=30820 op=-1 fd=248 Disconnect - unknown error -
Hmm, so potentially some TLS issue...
-
Hmm, there is one LDAP fix in 26.03.1. It seems unrelated to this but worth upgrading to test if you can.
-
@stephenw10 the certificate is the same on both the diagnostics test and the GUI login. So it's weird that the same cert and the same server work on one situation and not another.
About the sshguard and logout, that is actually something that I would like to alter the config, I mean to only get locked out after at least 3 login attempts. Getting locked out after one despite not having another login attempt for ... 6-12-24-48 hours is something I'm having some difficulty to wrap my head around.
I will update to 26.03.1 later today, and tomorrow I'll say how it went. I'm also removing the duplicate admins group from this pfSense.
-
I agree it seems unlikely the upgrade will change anything but you should upgrade anyway to be sure. Any required fixes will be against that.
