[SOLVED] Basic troubleshooting for LDAP authentication server

[CraigPutnam]

I am setting up OPNsense 15.7.18_1-amd64 (OpenSSL) hosted on ESXi-5.5.0. I am trying to set up an LDAP authentication server against a local Active Directory domain controller. When I click the Select button in the Containers section, I get the informative message: "Could not connect to the LDAP server. Please check your LDAP configuration."

So, my main question is, how in the world do I troubleshoot this? Are there any log files or other tests that could give me more information?

[weust]

Can't help you with logs, but do upgrade to the latest version before continuing any further.

This is how have set it up, excluding the basic information/settings.
Protocol version: 3
Bind credentials\User DN: domain\serviceaccount
Search scope\Level: One level
Base DN: DC=domain,DC=local
Authentication containers: use Select here. Should work if you got the previous settings filled in correctly.
Extended query: take the default IIRC. Been a while since I set it up.
User naming attribute: samAccountName

That work for me(tm)

[franco]

Hi Craig,

The ldap_bind() call is being muted in the code, that is indeed a bit hard to trace. I will try to improve the error reporting for 15.7.25 out on Monday.


Cheers,
Franco

[franco]

Some more hints may be hidden here... http://php.net/manual/de/function.ldap-bind.php#103034

[CraigPutnam]

The ldap_bind() call is being muted in the code, that is indeed a bit hard to trace. I will try to improve the error reporting for 15.7.25 out on Monday.

Much appreciated. The better the error messages, the faster I can figure out how and why I'm being stupid.

Can't help you with logs, but do upgrade to the latest version before continuing any further.

Good idea, so I did that. I like the updated menu layout.

I managed to resolve the issue, mostly by poking around and thinking really hard like a bear of very little brain. I had pointed the system to external DNS servers, but I was trying to resolve an internal host... Like I said, very little brain.

Once I pointed to a DNS server that could actually resolve my domain controller, everything worked great. I did notice one UI issue that might cause issues for others. The authentication containers selection window is non-resizeable (at least in IE 11), so if you have more than 7 containers, they spill off the bottom of the window. I resolved it by narrowing the search scope, but users in a complex organization would probably have to resort to typing the container DNs by hand.

Thanks for everyone's help!

[franco]

Hi Craig,

Glad this worked out ok. I've relaxed the priority for the issue a little, but it's on file: https://github.com/opnsense/core/issues/669

Your suggestion has been filed as well: https://github.com/opnsense/core/issues/673


Cheers,
Franco