LDAP server won't allow pfsense to connect



  • All this is on pfsense 2.1.5, patched to current releases of everything.  I am not running OpenLDAP or FreeRADIUS or anything like that on pfsense, if it makes any difference.

    I have a sample pfsense box connected to my own AD that have configured both LDAP and LDAPS for, so I know how it is supposed to work. Mostly.  I've successfully done the certificate exchange, DNS names resolve properly, etc.

    Today, I was trying to establish a connection to someone else's AD via LDAP on a different (but similary configured) pfsense firewall. We had all the information we needed, but when I'd click the "Select" button in the Authentication containers, I get the error
    "Could not connect to the LDAP server.  Please check your LDAP configuration."
    This LDAP server (Windows 2008) is configured on port 389, and according to the people whose AD the LDAP server is running on, it works just fine using the settings we have when used from a Cisco ASA.  Hmm. At first I thought we weren't trying to connect to them because there was nothing in the firewall log, but a packet capture showed that yes, the traffic was leaving the correct interface.  I do have a rule that should log that traffic, but that's another problem…

    I loaded up the LDAP troubleshooting patch, and when I attempt to connect to the supposedly unencrypted LDAP server, this is what shows in the error log (with the server name changed to protect the innocent):

    ldap_err2string
    ldap_create
    ldap_url_parse_ext(ldaps://some.server:389)
    ldap_bind_s
    ldap_simple_bind_s
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP some.server.com:389
    ldap_new_socket: 14
    ldap_prepare_socket: 14
    ldap_connect_to_host: Trying 192.168.1.1:389
    ldap_pvt_connect: fd: 14 tm: -1 async: 0
    attempting to connect:
    connect success
    TLS trace: SSL_connect:before/connect initialization
    TLS trace: SSL_connect:SSLv2/v3 write client hello A
    TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
    TLS: can't connect: .
    ldap_err2string

    Note my pfsense is NOT configured for encryption.  If I configure it for LDAPS and tell it to use port 389, I get the same results.  The remote server is not listening on port 636, but we tried that too - and did not get a response form the server according to the troubleshooting patch's log.

    Is it possible that I need the public key of his root CA and/or the server certificate from his LDAP server? Or perhaps I need to provide him the public key of the CA on my firewall?  I've never attempted to connect to an LDAP server on port 389 and gotten TLS errors before, I'm at a bit of a loss.  Any help would be appreciated.


  • Banned

    You must install the CA certificate on pfSense box and select that CA under Peer Certificate Authority to ensure does it does match with the CA that issued the LDAP server certificate.



  • Thank you very much for taking the time to answer, and so promptly!

    But I'm supposedly NOT doing secure LDAP, according to the person on the far end (ah the joys of crossing domains of control).  Are you saying that if these two are true:
    1. I see TLS information in the debug, despite reassurances from this person that he is NOT running LDAPS
    2. I have NOT configured secure LDAP on pfsense
    that the far end server really IS running LDAPS?  In this person's case, on port 389 instead of 636, from the original debug output….

    I want to make sure I understand the debug output, because I owe this person an explanation of why it failed, and I want to be sure I'm not telling him he's doing it wrong if he's not.  I've never used this tool on pfsense before, I could have mis-understood the output.  I asked to exchange root certificates and the person did not understand what I was asking for.

    My successful LDAPS installation looks like this:

    ldap_create
    ldap_url_parse_ext(ldaps://dc.server.local:636)
    ldap_bind_s
    ldap_simple_bind_s
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP dc.server.local:636
    ldap_new_socket: 16
    ldap_prepare_socket: 16
    ldap_connect_to_host: Trying 172.16.1.1:636
    ldap_pvt_connect: fd: 16 tm: -1 async: 0
    attempting to connect:
    connect success
    TLS trace: SSL_connect:before/connect initialization
    TLS trace: SSL_connect:SSLv2/v3 write client hello A
    TLS trace: SSL_connect:SSLv3 read server hello A
    TLS certificate verification: depth: 1, err: 0, subject: /ANONYMIZED BY FORUM POSTER
    TLS certificate verification: depth: 0, err: 0, subject: /ANONYMIZED BY FORUM POSTER
    TLS trace: SSL_connect:SSLv3 read server certificate A
    TLS trace: SSL_connect:SSLv3 read server certificate request A
    TLS trace: SSL_connect:SSLv3 read server done A
    TLS trace: SSL_connect:SSLv3 write client certificate A
    TLS trace: SSL_connect:SSLv3 write client key exchange A
    TLS trace: SSL_connect:SSLv3 write change cipher spec A
    TLS trace: SSL_connect:SSLv3 write finished A
    TLS trace: SSL_connect:SSLv3 flush data
    TLS trace: SSL_connect:SSLv3 read finished A

    My successful LDAP (no S) configuration looks like this:

    ldap_create
    ldap_url_parse_ext(ldap://dc.server.local:389)
    ldap_bind_s
    ldap_simple_bind_s
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP dc.server.local:389
    ldap_new_socket: 16
    ldap_prepare_socket: 16
    ldap_connect_to_host: Trying 172.16.1.1:389
    ldap_pvt_connect: fd: 16 tm: -1 async: 0
    attempting to connect:
    connect success
    ldap_open_defconn: successful
    ldap_send_server_request
    ldap_result ld 0x809de8670 msgid 1
    wait4msg ld 0x809de8670 msgid 1 (infinite timeout)
    wait4msg continue ld 0x809de8670 msgid 1 all 1
    ** ld 0x809de8670 Connections:

    • host: dc-01.vdc.local  port: 389  (default)
        refcnt: 2  status: Connected
        last used: Fri Feb  6 14:07:40 2015

  • Banned

    Well, not really sure what to add. If you don't have the certificate, you cannot use LDAPS. As long as you use ldaps:// encryption will be attempted.

    ldap_url_parse_ext(ldaps://some.server:389)
    

    If you do not want encryption, do not use ldaps:// – not to mention that LDAPS is normally not running on port 389.



  • The configuration I created for them was straight LDAP on the pfsense side originally, and it failed.  I was assured by the second party they were NOT running LDAPS, and that I must be typing the account credentials wrong.  Once I loaded the ldap verbose logging tool in pfsense, I suspected that LDAPS was in play, and explained that we needed to exchange root certificates and that conversation hit a brick wall fast.  I would always prefer secure setups, but my issue is that I don't always work with people that understand their own networks.  Every now and then I have to tell people (nicely) that they are in fact running something they think they aren't, and I always want good technical information to back me up when I do .

    Thanks again for the prompt reply, this was a big help.