Messages

Good ideas.

I did some further tests. Apparently whatever I enter in there will not work if there are outer parenthesis.

So this will not work:
(&(condition1)(condition2))

This does work:
&(condition1)(condition2)

I got it to work by emptying the extended query field.

See the linked bug report. It's being further discussed there.

Thanks for trying to help!

Probably not a bad idea. I opened a bug report: https://github.com/opnsense/core/issues/8541

No, I'm afraid not, used the tester here. I hope the images are still readable, had to resize them in order to attach them.

Not sure if frame nr. 2 is of any significance.

A note about the configuration page of the LDAP server: The "select" button next to "Authentication containers" works fine and shows me all the entries I'd expect.

I can only emphasize this worked flawlessly until the v25 upgrade. I was used to logging in only with my domain/ldap account, not the local root account. I initiated the upgrade to v25 and right after the reboot I couldn't login anymore.
There were also no changes to the domain controllers.

Just a note: There's also an Apache webserver in the same subnet using LDAP auth for some resources with equal settings - works fine.

Full authentication, so logged out of the web gui and tried to login with an ldap account.

I assume I can rule out a firewall rule anywhere blocking anything if the connection gets established in general. Between Opnsense there's only the packet filter of Opnsense itself and the personal firewall of the Domain controller (which allows LDAP of course).

As far as I understand the capture result the bind is successful, so the ldap user isn't the problem.

However I'm struggling to understand what happens after that other than the disconnect.

IP ending on 1 is Opnsense, 80 is a domain controller. There are more DCs, but for troubleshooting it's the only one I kept active on Opnsense.

My ldap user is

Code Select Expand

CN=LdapQuery,CN=Users,DC=my,DC=domain,DC=name. That's the same it was before the v25 upgrade. The directory behind is an Active Directory.
The same bind DN works perfectly with other applications authenticating against AD.

Second small update published. So I don't have the feeling this issue is going to get fixed.

@gdur Were you able to solve this somehow?

Same here. Since upgrading to 25.1 LDAP users cannot login anymore with the error message given in this post.

I have already deleted an LDAP user and recreated it. But still cannot login with it.

I don't think you're still waiting for an answer  :).

But as I'm one of those who stumbled on your post while having the same question I wanted to share the answer I found for myself: https://docs.opnsense.org/manual/opnproxy.html

That's a "new" plugin that allows to differentiate access between different hosts or subnets.