Hi guys,
I am trying to setup a working LDAP auth server connection, but the only response I get when I click "Select" to show the Authentication containers is a blank popup - and in my logs I can see "opnsense: LDAP bind error (Can't contact LDAP server)". I am using StartTLS and I suppose there must be an error in my config, but I cannot figure out what to change.
My server has a certificate with its FQDN set as CN and the (self-signed) root and intermediate CAs are added (as separate entries) to the list of CAs shown via "System" -> "Trust" -> "Authorities".
If I try the following script (I put it in the same directory as all the other php files, i.e. /usr/local/www) using the values from the LDAP config page I get a list of all attributes for "my.user":
<?php $ldap="ldap-srv.mydomain.com"; $usr="uid=srv-acc,ou=serviceaccounts,dc=sub,dc=mydomain,dc=com"; $pwd="secret"; $ds=ldap_connect($ldap); $ldapbind=false; if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) if(ldap_start_tls($ds)) $ldapbind = @ldap_bind($ds, $usr, $pwd); $ldapse = ldap_search($ds,"dc=sub,dc=mydomain,dc=com","uid=my.user"); var_dump(ldap_get_entries($ds,$ldapse)); ldap_close($ds);?>
The same username and password work if I use them inside a LDAP auth stanza in my Apache2 config.
I also tried setting "TLS_REQCERT never" in /usr/local/etc/openldap/ldap.conf but that doesn't change anything.
Can anybody tell me what I am doing wrong?