Netgate SG-1000 microFirewall

Author Topic: LDAP worked in 2.3, broke in 2.4 - ssl issue?  (Read 270 times)

0 Members and 1 Guest are viewing this topic.

Offline SpaceBass

  • Full Member
  • ***
  • Posts: 136
  • Karma: +2/-0
    • View Profile
LDAP worked in 2.3, broke in 2.4 - ssl issue?
« on: November 03, 2017, 01:35:14 pm »
Hey folks,

First as background, I'm using an external LDAP provider with no access to the server itself or logs. (and if that sounds crazy, I'll be able to explain in the near future. Imagine a cloud-based directory service...)

This worked fine in 2.3. I upgraded to 2.4 and now we get the "cannot bind..." error.

I suspect, as another user discovered and shared on a reddit post, this may be an SSL error.

The LDAP provider's cert is a wildcard cert. So ldap.foo.bar uses *.foo.bar.

Foo.bar is issued through a trusted root authority.

I've tried pulling down every cert in the chain using:
Code: [Select]
openssl s_client -connect  ldap.foo.bar:636 -showcerts
I've also tried concat'ing everything together and using that in the LDAP setup in PF. Neither works.

Anyone have any troubleshooting tips or ideas?


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21747
  • Karma: +1503/-26
    • View Profile
Re: LDAP worked in 2.3, broke in 2.4 - ssl issue?
« Reply #1 on: November 06, 2017, 11:25:38 am »
I'm not sure what might have changed there, since LDAP should have failed before with that config as well (unless you imported the root CA and all intermediates).

I added a fix on 2.4.2 last week to choose the global root CA list for these situations: https://redmine.pfsense.org/issues/8044
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline SpaceBass

  • Full Member
  • ***
  • Posts: 136
  • Karma: +2/-0
    • View Profile
[closed] Re: LDAP worked in 2.3, broke in 2.4 - ssl issue?
« Reply #2 on: November 15, 2017, 07:57:57 pm »
Thanks Jimp!

Quick note to close (for now) the loop on this thread....

I've reproduced the problem with my own local LDAP server and can confirm the suggested fix works (in that instance).

Using
Code: [Select]
  openssl s_client -connect  ldap.foo.bar:636 -showcerts

I was able to pull each individual cert and try each one in the LDAP config until I found the intermediate that worked :)

I still have an issue with a remote LDAP server that is out of my control (so I can't view its logs, etc) where that trick is not working...but it's a beta service (from a big, huge, giant of identity services) and I suspect we'll learn more as we continue to test with them. In the mean time, they've provided a nice proxy service as a workaround.
« Last Edit: November 15, 2017, 08:04:08 pm by SpaceBass »

Offline ETB

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: LDAP worked in 2.3, broke in 2.4 - ssl issue?
« Reply #3 on: December 12, 2017, 04:42:49 am »
Hello there,

I jump on this tread (i hope it's ok for me doing it) because i encounter the same behavior even with the last update.
My LDAP is using letsencryptcertificate generated by Acme on my pfsense. The LDAP is an openldap hosted on a Nethserver.
I'm unable to bind using SSL/Starttls.
I search online how to get more logs on the pfsense but all i found was a patch for 2.3.
Could someone have a look on my issue or should i open a different topic.

Please let me know how i can be usefull.

Regards,

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21747
  • Karma: +1503/-26
    • View Profile
Re: LDAP worked in 2.3, broke in 2.4 - ssl issue?
« Reply #4 on: December 12, 2017, 07:07:29 am »
If it is this issue, then you must upgrade to pfSense 2.4.2 or later. Once you are on 2.4.2, you can edit the LDAP server entry on pfSense and for the Peer Certificate Authority, set it to Global Root CA List

You might also have to go to the console/ssh and use options 16 and then 11 to make PHP pick up that change, PHP's LDAP code caches some things weirdly.

If that doesn't fix it, start a new thread.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline SpaceBass

  • Full Member
  • ***
  • Posts: 136
  • Karma: +2/-0
    • View Profile
Re: LDAP worked in 2.3, broke in 2.4 - ssl issue?
« Reply #5 on: December 12, 2017, 10:27:57 am »
If it is this issue, then you must upgrade to pfSense 2.4.2 or later. Once you are on 2.4.2, you can edit the LDAP server entry on pfSense and for the Peer Certificate Authority, set it to Global Root CA List



This is a great fix BTW!
Fingers crossed that it migrates to FreeRADIUS package too :)