Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP authentication w/SSL with FreeIPA CA cert fails?

    Scheduled Pinned Locked Moved webGUI
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      naex
      last edited by

      I recently installed a FreeIPA server and am attempting to authenticate pfSense from it. I previously had a custom OpenLDAP based setup that worked. In the previous case, pfSense was the CA and OpenLDAP was using a cert pfSense generated. With this new setup, FreeIPA is supposed to be the CA. If I use openssl with the certificate, it seems to work:

      [2.2.6-RELEASE][root@cerberus.my.local.domain.com]/var/run/certs: openssl s_client -connect daedalus.my.local.domain.com:636 -CAfile 56f0b2661d66e.ca
      CONNECTED(00000004)
      depth=1 O = MY.LOCAL.DOMAIN.COM, CN = Certificate Authority
      verify return:1
      depth=0 O = MY.LOCAL.DOMAIN.COM, CN = daedalus.my.local.domain.com
      verify return:1
      ---
      Certificate chain
       0 s:/O=MY.LOCAL.DOMAIN.COM/CN=daedalus.my.local.domain.com
         i:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority
       1 s:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority
         i:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority
      ---
      

      I can even use ldapsearch:

      [2.2.6-RELEASE][root@cerberus.my.local.domain.com]/var/run/certs: env LDAPTLS_CACERT=/var/run/certs/56f0b2661d66e.ca ldapsearch -H ldaps://daedalus.my.local.domain.com -D uid=cerberus.web.auth.svc,cn=users,cn=accounts,dc=my,dc=local,dc=domain,dc=com -W
      Enter LDAP Password:
      # extended LDIF
      #
      # LDAPv3
      # base <> (default) with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
      
      # search result
      search: 2
      result: 32 No such object
      
      # numResponses: 1
      

      However, when I try to use this cert with pfSense, I simply get "Could not contact LDAP server". I've verified via various bits of debugging of /etc/inc/auth.inc that it's using the correct settings. Does anyone know if there's anything particular about these certs that could be broken that I should look for, given that openssl seems to like the cert fine.

      1 Reply Last reply Reply Quote 0
      • V
        vbentley
        last edited by

        Is pfSense doing a DNS query for my.local.domain.com?

        Do you have SOA for my.local.domain.com?

        Trademark Attribution and Credit
        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.