SOLVED (bug)– LDAP issues, no clear error

limecat · Sep 24, 2011, 9:38 PM

Im trying to get pfSense set up to authenticate against OpenLDAP, and Im running into a huge number of issues. Some are possibly bugs (would like verification of that prior to reporting them).

My setup is all virtual (as this is a testbed)– I have 2 pfsense (2.0 release) boxes CARP'd together (3 interfaces-- 1 LAN, 1 CARP, 1 WAN), and a CentOS 6.0 box connected to the LAN. Its gateway is the CARP address, though that shouldnt matter. For testing purposes, I have shut down the slave pfSense box.

The CentOS box is running "iRedMail" (an OpenLDAP / mySQL / postfix / etc all in one mail server). It has phpLDAPadmin on it as well.

The iRedmail install notes state the following:

OpenLDAP:
    * LDAP suffix: dc=testcorp,dc=local
    * LDAP root dn: cn=Manager,dc=testcorp,dc=local, password: ########
    * LDAP bind dn (read-only): cn=vmail,dc=testcorp,dc=local, password: ######
    * LDAP admin dn (used for iRedAdmin): cn=vmailadmin,dc=testcorp,dc=local, password: ######
    * LDAP base dn: o=domains,dc=testcorp,dc=local
    * LDAP admin base dn: o=domainAdmins,dc=testcorp,dc=local
    * Configuration files:
        - /etc/openldap
        - /etc/openldap/slapd.conf
        - /etc/openldap/ldap.conf
        - /etc/openldap/schema/iredmail.schema

My configuration on pfSense is as follows:

Port: 389
Transport: TCP
Protocol Version: 3
Search scope (level): Entire subtree
Search Scope: o=domains,dc=testcorp,dc=local
Authentication Containers: ou=Users,domainName=testingcorp.local
Bind credentials (user): cn=vmailadmin,dc=testcorp,dc=local
User naming attribute: cn
Group naming attribute: cn
Group member attribute: objectClass

It saves just fine, but when I change auth method to save and test, the popup window shows a "attempting to bind failed" with no further error. Additionally, I cannot pick the authentication containers with the select button– not sure if that is a cause, a symptom, or a bug.

In terms of possible bugs, here are a few things Ive observed-- not sure they are bugs, feedback would be useful before I post them...
For starters, depending on my settings, upon clicking "save and test", the pfsense box will hang for a long time (I think this happens with a bad baseDN), further WebGUI clicks will hang for ~120 seconds, and it will refuse to let me get back to the page to remove the offending auth method. It is necessary to vi config.xml to remove that line and reboot the server.

Additionally, as I mentioned, clicking save and test is giving me

(if image doesnt appear, go here: http://db.tt/vGLqNiHZ)

With no indication of what its trying to bind to nor what the actual failure is.

Any help, as well as feedback on those two issues would be helpful. Especially helpful would be a log file location– Im unfamiliar with OpenLDAP, and do not know where its logs are usually kept, and I see no evidence of pfsense logging the issue.

Thanks in advance
(EDIT: using pics of my config)

limecat · Sep 24, 2011, 10:28 PM

Just found an error message in system.log:

pfmaster php: /system_usermanager_settings_test.php:  ERROR! ldap_get_groups() could not bind to server iRedmail.

Maybe a problem with my group attribute? There doesnt appear to be a memberOf attribute on the user objects….

Metu69salemi · Sep 24, 2011, 10:42 PM

is your server name vmail or iredmail?

limecat · Sep 24, 2011, 10:45 PM

The servers actual name is neither; iRedMail is the "alias" I gave it in the GUI (slightly offscreen in the first pic). If it would be helpful i can post a shot of phpLDAPadmin's tree.

Metu69salemi · Sep 24, 2011, 11:22 PM

It won't help me to help you. Did you entered username(valid username to ldap-server) to check credentials from openldap?

limecat · Sep 24, 2011, 11:51 PM

I just authenticated to phpLDAPadmin with username cn=vmailadmin,dc=testcorp,dc=local and the password that I used in the web interface.

Is that what you mean?

Metu69salemi · Sep 25, 2011, 8:21 AM

That was it, maybe someone who has done ldap authentication might help(I haven't)

limecat · Sep 26, 2011, 2:48 PM

Bump, any other suggestions? Fixed the images above if that helps.

limecat · Sep 27, 2011, 10:59 PM

Solved!

There were two issues. The first one is that I was using the utterly wrong ip address due to confusion caused by virtualization. I was using the CARP subnet rather than LAN.

More serious, there appears to be a bug– pfSense does not want to bind with credentials. I added a line in /etc/inc/auth.inc (vicinity of 723):

if ($ldapanon == true) {
       if (!$res = @ldap_bind($ldap))) {
           @ldap_close ($ldap);
          log_error("break 3");     //My additional code
          return false;
           }
else........

Sure enough, when I run "save and test", i get "break 3" in /var/log/system.log, even when I have specified LDAP credentials.

I went into iRedmail's LDAP config, and enabled anonymous bind, and all of a sudden it was able to bind no problem.
How do I open a bug for this?

dhatz · Sep 27, 2011, 11:09 PM

@limecat:

More serious, there appears to be a bug– pfSense does not want to bind with credentials.
I went into iRedmail's LDAP config, and enabled anonymous bind, and all of a sudden it was able to bind no problem.
How do I open a bug for this?

Check pfsense's bugtracker http://redmine.pfsense.org/projects/pfsense/issues?set_filter=1