LDAP bind error [; Invalid credentials]

[Scrappy]

This is probably a dumb question but I'm new to both opnsense and openldap and ldap in general and I've found that this is a generic error message but because of my inexperience I don't know what the fault is. I'm running openldap on a standalone server and connecting across the lan openldap.jwl.com. it has a letsencrypt wildcard certificate configured for tls.

My openldap server is configured with the domain dc=jwl,dc=com and I want the domain admin user to be able to configure opnsense. That user is configured like this: uid=scrappy,ou=Users,dc=jwl,dc=com.

I have managed to connect to the openldap server from opnsense using the ldapsearch with the openldap config credentials, but cannot connect with the domain admin user. I keep getting invalid credentials error. When I check the password on phpLDAPadmin the password is correct. It uses argon2 if that makes a difference.

I managed to save the opnsense access credentials for openldap, but just get the same error message.

The error message is so generic and I'm not sure how to gather anything else useful.
Can anyone offer some advice on how to proceed?

[Scrappy]

Further investigation reveals:

Code Select Expand


Jun 02 06:08:24 openldap slapd[333]: => access_allowed: result not in cache (userPassword)
Jun 02 06:08:24 openldap slapd[333]: => access_allowed: auth access to "uid=scrappy,ou=Users,dc=jwl,dc=com" "userPassword" requested
Jun 02 06:08:24 openldap slapd[333]: => dn: [1] ou=idmaps,dc=jwl,dc=com
Jun 02 06:08:24 openldap slapd[333]: => dn: [2] ou=idmaps,dc=jwl,dc=com
Jun 02 06:08:24 openldap slapd[333]: => dn: [3] ou=hosts,dc=jwl,dc=com
Jun 02 06:08:24 openldap slapd[333]: => dn: [4] ou=hosts,dc=jwl,dc=com
Jun 02 06:08:24 openldap slapd[333]: => dn: [5] ou=users,dc=jwl,dc=com
Jun 02 06:08:24 openldap slapd[333]: => acl_get: [5] matched
Jun 02 06:08:24 openldap slapd[333]: => acl_get: [5] attr userPassword
Jun 02 06:08:24 openldap slapd[333]: => acl_mask: access to entry "uid=scrappy,ou=Users,dc=jwl,dc=com", attr "userPassword" requested
Jun 02 06:08:24 openldap slapd[333]: => acl_mask: to value by "", (=0)
Jun 02 06:08:24 openldap slapd[333]: <= check a_dn_pat: self
Jun 02 06:08:24 openldap slapd[333]: <= check a_dn_pat: anonymous
Jun 02 06:08:24 openldap slapd[333]: <= acl_mask: [2] applying auth(=xd) (stop)
Jun 02 06:08:24 openldap slapd[333]: <= acl_mask: [2] mask: auth(=xd)
Jun 02 06:08:24 openldap slapd[333]: => slap_access_allowed: auth access granted by auth(=xd)
Jun 02 06:08:24 openldap slapd[333]: => access_allowed: auth access granted by auth(=xd)

but I just get the invalid credentials message. It looks like this is a openLDAP configuration issue related to permissions. It'd be good if openLDAP had a support forum but it's not active.
I hope I've interpreted this log entry correctly. I'll look into the ACL for this user if I can find it.

[Scrappy]

So it turns into an openldap problem. The phpLDAPadmin interface allows me to change the password to argon2 but ldapsearch won't validate the credentials when that's done. If I change it back to md5 it works fine.

It's difficult to know where to turn. Nothing on ggl seems to help