OpenVPN 25.1 -> LDAP bind error [; Can't contact LDAP server] after upgrade.

Started by gdur, February 01, 2025, 03:59:08 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 11, 2025, 10:24:50 PM #15 Last Edit: April 12, 2025, 11:19:43 AM by RosIsTer
As far as I understand the capture result the bind is successful, so the ldap user isn't the problem.

However I'm struggling to understand what happens after that other than the disconnect.

IP ending on 1 is Opnsense, 80 is a domain controller. There are more DCs, but for troubleshooting it's the only one I kept active on Opnsense.
April 11, 2025, 10:49:52 PM #16
The LDAP bind should be followed by an LDAP search request, which it did not in your screen shot. Did you try a full authentication or the "tester" in OPNsense?

Maybe something with base DN, LDAP filter or some such ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 12, 2025, 11:18:51 AM #17 Last Edit: April 12, 2025, 11:27:38 AM by RosIsTer
Full authentication, so logged out of the web gui and tried to login with an ldap account.

I assume I can rule out a firewall rule anywhere blocking anything if the connection gets established in general. Between Opnsense there's only the packet filter of Opnsense itself and the personal firewall of the Domain controller (which allows LDAP of course).
April 12, 2025, 12:33:49 PM #18
Hmmm ... can you try the tester? There must be an LDAP search following the bind ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 12, 2025, 03:54:31 PM #19
No, I'm afraid not, used the tester here. I hope the images are still readable, had to resize them in order to attach them.

Not sure if frame nr. 2 is of any significance.

A note about the configuration page of the LDAP server: The "select" button next to "Authentication containers" works fine and shows me all the entries I'd expect.

I can only emphasize this worked flawlessly until the v25 upgrade. I was used to logging in only with my domain/ldap account, not the local root account. I initiated the upgrade to v25 and right after the reboot I couldn't login anymore.
There were also no changes to the domain controllers.

Just a note: There's also an Apache webserver in the same subnet using LDAP auth for some resources with equal settings - works fine.
April 12, 2025, 05:45:12 PM #20
That looks like some extra characters in the search string - to which the server probably correctly responds with "NO_OBJECT". Weird.

I'm sorry, I only run LDAP for OpenVPN without issues so I cannot reproduce it easily. I just happen to know LDAP a bit from years of experience with AD, so I chimed in.

I'd file a bug on github.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 12, 2025, 10:09:42 PM #21
Thanks for trying to help!

Probably not a bad idea. I opened a bug report: https://github.com/opnsense/core/issues/8541
April 14, 2025, 12:47:34 PM #22
its not a new deployment, its already used in production on older 24.7 releases.

I planed to upgrade and thats the point where i cant because of an update that bricked something, and i am not alone.

With no encryption I cannot reproduce the problem with our test ldap, hopefully it is clear that you should not use it productively, the productive ldap is LDAPS only.



with LDAPS im getting exactly the same on our testing LDAP which speaks LDAPS as well as LDAP.
2025-04-14T10:46:48    Error    opnsense    LDAP bind error [; Can't contact LDAP server]

What do i need to provide so we can debug this more?
April 14, 2025, 10:03:00 PM #23
I got it to work by emptying the extended query field.

See the linked bug report. It's being further discussed there.
April 15, 2025, 12:23:54 AM #24 Last Edit: April 15, 2025, 12:29:05 AM by Patrick M. Hausen
Now THAT's interesting ... thanks for keeping us informed.

I just had to check - I do use extended query and I do not experience your problem. I use it to limit access to a particular group by matching "memberOf". But I did not put an outer pair of parentheses in the field. Want to try using just "objectClass=person"?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 15, 2025, 07:56:43 AM #25 Last Edit: April 15, 2025, 07:58:14 AM by franco
Parenthesis shouldn't matter here as sooner or later the query parts are wrapped in extra parenthesis in order to construct the full search string. Apparently case also wasn't the issue so this remains a bit elusive...


Cheers,
Franco
April 15, 2025, 11:47:42 PM #26
Good ideas.

I did some further tests. Apparently whatever I enter in there will not work if there are outer parenthesis.

So this will not work:
(&(condition1)(condition2))

This does work:
&(condition1)(condition2)
April 16, 2025, 10:19:59 AM #27
If the OPNsense code adds another pair of outer parentheses, probably "(filter)" is valid while "((filter))" is not. I could not find a full spec, i.e. EBNF just right now. The LDAP RFC hand simply refers to X.500 and ASN.1, unfortunately, and I'm not going down that rabbit hole just now.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 16, 2025, 11:01:44 AM #28
I made a note here because some claims regarding wrong defaults and unclear documentation were made... https://github.com/opnsense/core/issues/8541#issuecomment-2808614328
April 16, 2025, 11:21:19 AM #29
I added some explanation to what is probably going on.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 2
User actions