Project

General

Profile

Actions

Bug #11644

closed

Unreachable LDAP server for SSH auth causes boot process to stop at at 'Synchronizing user settings' and no user can login over SSH

Added by Sietse van Zanen 7 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
03/10/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

When the configured LDAP server is unreachable pfSense will get stuck on 'synchronizing user settings' indefinitely during boot.
Also no user is able to log on through SSH in that case. Log in times out after 5 minutes and then connection is closed.
This renders the firewall pretty much unusable.

When LDAP server is unreachable PAM will just keep trying to connect to it and will refuse to even authenticate local users.
Mar 8 07:56:56 rdifw01 sshd62683: nss_ldap: ldap_start_tls failed: Timed out
Mar 8 08:01:47 rdifw01 sshd93520: pam_ldap: ldap_starttls_s: Connect error
Mar 8 08:01:47 rdifw01 sshd93520: pam_ldap: ldap_starttls_s: Connect error
Mar 8 12:11:27 rdifw01 sshd22906: pam_ldap: ldap_starttls_s: Connect error
Mar 8 12:11:27 rdifw01 sshd22906: pam_ldap: ldap_starttls_s: Connect error
Mar 8 14:14:01 rdifw01 sshd61612: pam_ldap: ldap_starttls_s: Connect error
Mar 8 14:14:02 rdifw01 sshd61612: pam_ldap: ldap_starttls_s: Connect error
.......

During boot, system gets stuck on the following code in auth.inc
function get_user_privileges(& $user) {
.....
if ($authcfg['type'] == "ldap") {
....
$allowed_groups = @ldap_get_groups($user['name'], $authcfg);

The system will keep trying to reach an inherently unreachable LDAP server behind IPSEC tunnel, which is only started after synchronizing user settings.
I have worked around this by moving the user sync and cron setup to below ipsec initialization in rc.bootup.
However dynamic routing is a bigger issue if required to reach the LDAP server, because FRR / Quagga will be started after rc.bootup is complete. I have to log on to GUI and start FRR ospf manually, and only then system will continue booting.

To me it just seems like an incredibly bad idea to make booting dependent upon network services the firewall is supposed to protect. But then again, I have only been designing software for the better part of 40 years, so what do I know. And if these dependencies are needed, at the very least the system should not try to reach these services indefinitely, but bail out after a reasonable period.

Actions #1

Updated by Viktor Gurov 7 months ago

  • Status changed from New to Confirmed

auth.inc is ok,
issue in pam_ldap module
related to #8698

Actions #2

Updated by Jim Pingle 7 months ago

  • Subject changed from Boot stuck indefinitely on 'Synchronizing user settings' and no user (inc root) able to log on through SSH (Unreachable LDAP) to Unreachable LDAP server for SSH auth causes boot process to stop at at 'Synchronizing user settings' and no user can login over SSH
  • Target version set to 2.6.0

Rare enough case, and not in our code, that it's going to be a more long-term correction, if there is anything we can do.

Actions #4

Updated by Jim Pingle 6 months ago

  • Status changed from Confirmed to Pull Request Review
  • Target version changed from 2.6.0 to 2.5.1
Actions #5

Updated by Renato Botelho 6 months ago

  • Assignee set to Viktor Gurov

Merged and cherry-picked to 2.5.1

Actions #6

Updated by Renato Botelho 6 months ago

  • Status changed from Pull Request Review to Feedback
Actions #7

Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF