Bug #11615
closed
OpenVPN + Ldap broken in 21.02-RELEASE-p1
0%
Description
We recently upgraded to 21.02-RELEASE-p1 (AWS)
And since we see an odd behavior that prevent user to login
OpenLDAP on the LAN
tests
System -> User Manager -> Settings
Authentication Servers : OK
Settings : OK
Diagnostics -> Authentication -> Authentication Server -> Local Database
user in local backend database and LDAP : OK
user only in LDAP : ERROR : which is correct
Diagnostics -> Authentication -> Authentication Server -> LDAP-SERVER
user in local backend database and LDAP : OK
user only in LDAP : OK
Setup OpenVPN
Backend for authentication -> Local database : work as design
LDAP users can not login
Backend for authentication -> Local database + LDAP : ERROR
except if the user is in the admins group (there is an admins group in LDAP)
Backend for authentication -> LDAP : OK for LDAP only user and OK for local user that are admins and in LDAP
issue 2 the username is normally firstname.lastname (note the dot) : this does not work in the user is in LDAP only
issue 3 if we set openvpn to use local database + LDAP : some LDAP user can VPN some can not
right now we got it working by setting up this configuration
1. local users are also in LDAP
2. OpenVPN set to only do LDAP and no local database
tested on 2 different pfsense (AWS in 2 different regions) and see the same behavior, never seen this on the version prior to 21.02 (2.4.5)
Updated by Jim Pingle about 3 years ago
- Status changed from New to Duplicate
Almost certainly a duplicate of #4521 (See notes there with attached patches to try).
If that doesn't help, please post on the forum for assistance first.
Updated by Luc Suryo about 3 years ago
I do not believe this is a duplicate
here the longest cert
1) ST=CA, OU=XXXXXX, O=XXXXXX Technologies Inc, L=XXXXXXX XXXX, CN=XXXXXXXX.XXXXXXXXXX, C=US
So that is 90 char not even close to the 250 chars, mind the same cert (2) works as long I set openvpn todo LDAP only
now made shorter (using only first name)
2) ST=CA, OU=XXXXXX, O=XXXXXX Technologies Inc, L=XXXXXXX XXXX, CN=XXXXXXXX, C=US
- 2 users (A and B) : cert like (2) : so first name only
- both these 2 user are NOT in local database
- both these 2 user are in LDAP in same group (vpn)
- both tested that the password is correct, tested both on the ldap server as well on the pfsense instance (remember we are on AWS)
openvpn : local database + ldap
- user A : no issue
- user B : unable to login
openvpn : ldap only
- user A : no issue
- user B : no issue
this indicates to me this is not a cert issues, and the issue make zero sense to me :-(
Updated by Jim Pingle about 3 years ago
Read all of the recent notes, it's a general problem with fcgicli that manifests in multiple ways, including validating certs and validating credentials.