LDAPS connection with ClearOS
I've been trying to setup an LDAPS connection with ClearOS Directory Server, but I'm hitting a wall right now.
The following is the current setup:
Publish Policy set to Local Network, so that it accepts connection from other hosts in the LAN
ClearOS only accepts Port 636 from other hosts, and does not accept Port 389 connection
Created CA and Server Certificate with ClearOS's Certificate Manager (Can only Create CA/Certificates, no importing)
Successfully tested connection with Apache Directory Studio with SSL connection on port 636
Connection Type: LDAP
(Added entry to DNS Resolver with the server's IP, and confirmed working via Diagnostics>Ping)
Port Value: 636
Peer Certificate Authority: DC (Imported the Certificate Authority from ClearOS's Certificate Manager into pfSense's Cert Manager>CAs)
Protocol Version: 3
Search Scope - Level: Entire Subtree
Search Scope - Base DN: dc=test,dc=domain,dc=com
Authentication Containers: ou=VPNUsers (Created this group in ClearOS)
Extended Query: Unchecked and Blank
Bind Credentials - Use Anonymous: Unchecked
Bind Credentials - User DN: cn=manager,ou=Internal,dc=test,dc=domain,dc=com
Bind Credentials - Password: Copied and pasted the password that was automatically created by ClearOS, no special characters except for the + sign
User Naming Attribute: cn
Group Naming Attribute: cn
Group Member Attribute: member
UTF8 Encode: Unchecked
Username Alterations: Unchecked
With this setting, when I go to Diagnostics>Authentication and try to authenticate user "pfsense" I created in ClearOS, the system logs display the following message.
php-fpm: /diag_authentication.php: ERROR! Either LDAP search failed, or multiple users were found.
In the LDAP settings page, if I try to click on the "Select" button next to Authentication Containers, I get the following message in the system logs.
php-fpm: /system_usermanager_settings_ldapacpicker.php: ERROR! ldap_get_user_ous() could not bind to server.
I wanted to get more detailed logs, so I searched the forum and found a patch to get a debug output for LDAP attempts.
I applied the patch, restarted the webconfigurator (and also restarted PHP-FPM after that), and then attempted the Diagnostics>Authentication, but the log file (lighttpd-breakage.log) was empty. It was noted that it works for 2.1 only, and I'm on 2.2.1 so maybe that's why.
So I'm not sure if this really is the problem, but I searched through the forums again and found a post that states that self-signed certificates are not allowed for SSL Authentication. It looks like self-signed certificates that were made by pfSense is OK, so it was advised that these should be created in pfSense and imported to the LDAP server, or don't use SSL and use port 389.
If this is the case, then I'm not sure what to do since:
1. ClearOS cannot import CA/Certificates, so I cannot transfer these from pfSense
2. ClearOS does not accept LDAP connection on port 389, so SSL connection is a must
If someone can give me an advice on where to look, that will be great.
I'll also post the result if I find any workaround.
Looks like it's just that I've imported the wrong cert file, my mistake.
I had to log in to the console and execute the following command to get the correct certificate:
openssl s_client -showcerts -connect localhost:636
I too am mashing my head into the wall on this one. I have done exactly as you and still can not authenticate users.
A few questions for you:
1)When you issued the ClearOS console command: openssl s_client -showcerts -connect localhost:636 Which part did you use? Between the –Begin-- XXX --End-- sections or the whole thing? (See question 2, I believe I am looking at both certificates)
2)There seems to be 2 certs on my clean ClearOS install. A default, and the one generated when you first open the Certificate Manager.
- Certificate Authority ca-cert.pem
- Default Certificate sys-0-cert.pem
Using the Certificate Manager I have downloaded both of these / imported into pfSense & tried both with the LDAP configuration to no avail... :(
In pfSense LDAP configuration did you check the RFC2307 Groups box?
What versions of pfSense, and ClearOS are you testing with.
Thanks for you help!!!
Also update my server address to the CN as per the certificate generated by ClearOS, still no luck…. :(