LDAP authentication w/SSL with FreeIPA CA cert fails?



  • I recently installed a FreeIPA server and am attempting to authenticate pfSense from it. I previously had a custom OpenLDAP based setup that worked. In the previous case, pfSense was the CA and OpenLDAP was using a cert pfSense generated. With this new setup, FreeIPA is supposed to be the CA. If I use openssl with the certificate, it seems to work:

    [2.2.6-RELEASE][root@cerberus.my.local.domain.com]/var/run/certs: openssl s_client -connect daedalus.my.local.domain.com:636 -CAfile 56f0b2661d66e.ca
    CONNECTED(00000004)
    depth=1 O = MY.LOCAL.DOMAIN.COM, CN = Certificate Authority
    verify return:1
    depth=0 O = MY.LOCAL.DOMAIN.COM, CN = daedalus.my.local.domain.com
    verify return:1
    ---
    Certificate chain
     0 s:/O=MY.LOCAL.DOMAIN.COM/CN=daedalus.my.local.domain.com
       i:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority
     1 s:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority
       i:/O=MY.LOCAL.DOMAIN.COM/CN=Certificate Authority
    ---
    

    I can even use ldapsearch:

    [2.2.6-RELEASE][root@cerberus.my.local.domain.com]/var/run/certs: env LDAPTLS_CACERT=/var/run/certs/56f0b2661d66e.ca ldapsearch -H ldaps://daedalus.my.local.domain.com -D uid=cerberus.web.auth.svc,cn=users,cn=accounts,dc=my,dc=local,dc=domain,dc=com -W
    Enter LDAP Password:
    # extended LDIF
    #
    # LDAPv3
    # base <> (default) with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # search result
    search: 2
    result: 32 No such object
    
    # numResponses: 1
    

    However, when I try to use this cert with pfSense, I simply get "Could not contact LDAP server". I've verified via various bits of debugging of /etc/inc/auth.inc that it's using the correct settings. Does anyone know if there's anything particular about these certs that could be broken that I should look for, given that openssl seems to like the cert fine.



  • Is pfSense doing a DNS query for my.local.domain.com?

    Do you have SOA for my.local.domain.com?