OpenVPN 25.1 -> LDAP bind error [; Can't contact LDAP server] after upgrade.

[gdur]

Just upgraded to 25.1 and ran into this problem. LDAP bind error [; Can't contact LDAP server].
I have tested the LDAP connection prior to the update and it was still operational.
This happened on 2 machines, one after the other. Where #2 is for backup purposes.
Using the OPNSense tester results in:
The following input errors were detected:
    Authentication failed.
    error: User DN not found

I checked the connectivity from the console:
nc xx.xx.x.x 389 -v -w 10 and the response is:Connection to xx.xx.x.x 389 port [tcp/ldap] succeeded!
So what is wrong with the upgrade?
Added on Sunday 2-2-2025:
Forgot to mention that this is related to OpenVPN.
I've created for some users a local password, added local database to instance settings of OpenVPN and these users are now able to login.

[gdur]

Just bringing this problem again under attention since there has not been a response thus far.
Is this problem related to https://forum.opnsense.org/index.php?topic=45606.0?
It's clear from post 45606.0 that some changes were made regarding the LDAP implementation but possibly I have missed what the consequences are for already existing LDAP users. Do I need to re-create all the existing LDAP users?

[RosIsTer]

Same here. Since upgrading to 25.1 LDAP users cannot login anymore with the error message given in this post.

I have already deleted an LDAP user and recreated it. But still cannot login with it.

[RosIsTer]

Second small update published. So I don't have the feeling this issue is going to get fixed.

@gdur Were you able to solve this somehow?

[dsvfhiubfdg]

i have the same issue...

[Patrick M. Hausen]

What does your bind DN look like?

[dsvfhiubfdg]

like that: `uid=testing-binder,ou=bindUsers,dc=somename,dc=net`

[Patrick M. Hausen]

Try cn= instead of uid= ...

[dsvfhiubfdg]

well thats wrong, since thats not the bind dn, why should that work, older opnsense versions work with exact same settings. thats not a fix.

[Patrick M. Hausen]

I know of no directory that uses uid= in a distinguished name. What directory is this? Active Directory uses cn=xyz,ou=...,dc=domain,dc=com. Hence my suggestion.

[passeri]

The documentation uses cn=

[RosIsTer]

My ldap user is

Code Select Expand

CN=LdapQuery,CN=Users,DC=my,DC=domain,DC=name. That's the same it was before the v25 upgrade. The directory behind is an Active Directory.
The same bind DN works perfectly with other applications authenticating against AD.

[dsvfhiubfdg]

I know of no directory that uses uid= in a distinguished name. What directory is this? Active Directory uses cn=xyz,ou=...,dc=domain,dc=com. Hence my suggestion.

The documentation uses cn=

its rfc2307bis openldap (slapd) and I think I know best which DN my binduser uses in LDAP, it's not as if opnsense is the first software to be connected via it.

[franco]

No LDAP server was ever slap'd in the making of OPNsense.

[Patrick M. Hausen]

If you can tolerate the "breach" of the password for a short amount of time, configure plain text LDAP over port 389 instead of LDAPS over 636 and use something like:

Code Select Expand

tcpdump -i <interface> -s0 -n -X port 389

to get a full trace of the conversation. That's what I do when new LDAP deployments don't work for obscure reasons.