LDAP authentication w/SSL with FreeIPA CA cert fails?
I recently installed a FreeIPA server and am attempting to authenticate pfSense from it. I previously had a custom OpenLDAP based setup that worked. In the previous case, pfSense was the CA and OpenLDAP was using a cert pfSense generated. With this new setup, FreeIPA is supposed to be the CA. If I use openssl with the certificate, it seems to work:
[2.2.6-RELEASE][firstname.lastname@example.org]/var/run/certs: openssl s_client -connect daedalus.my.local.domain.com:636 -CAfile 56f0b2661d66e.ca CONNECTED(00000004) depth=1 O = MY.LOCAL.DOMAIN.COM, CN = Certificate Authority verify return:1 depth=0 O = MY.LOCAL.DOMAIN.COM, CN = daedalus.my.local.domain.com verify return:1 --- Certificate chain 0 s:/O=MY.LOCAL.DOMAIN.COM/CN=daedalus.my.local.domain.com i:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority 1 s:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority i:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority ---
I can even use ldapsearch:
[2.2.6-RELEASE][email@example.com]/var/run/certs: env LDAPTLS_CACERT=/var/run/certs/56f0b2661d66e.ca ldapsearch -H ldaps://daedalus.my.local.domain.com -D uid=cerberus.web.auth.svc,cn=users,cn=accounts,dc=my,dc=local,dc=domain,dc=com -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1
However, when I try to use this cert with pfSense, I simply get "Could not contact LDAP server". I've verified via various bits of debugging of /etc/inc/auth.inc that it's using the correct settings. Does anyone know if there's anything particular about these certs that could be broken that I should look for, given that openssl seems to like the cert fine.
Is pfSense doing a DNS query for my.local.domain.com?
Do you have SOA for my.local.domain.com?