Bug #11644
closedUnreachable LDAP server for SSH auth causes boot process to stop at 'Synchronizing user settings' and no user can login over SSH
0%
Description
When the configured LDAP server is unreachable pfSense will get stuck on 'synchronizing user settings' indefinitely during boot.
Also no user is able to log on through SSH in that case. Log in times out after 5 minutes and then connection is closed.
This renders the firewall pretty much unusable.
When LDAP server is unreachable PAM will just keep trying to connect to it and will refuse to even authenticate local users.
Mar 8 07:56:56 rdifw01 sshd62683: nss_ldap: ldap_start_tls failed: Timed out
Mar 8 08:01:47 rdifw01 sshd93520: pam_ldap: ldap_starttls_s: Connect error
Mar 8 08:01:47 rdifw01 sshd93520: pam_ldap: ldap_starttls_s: Connect error
Mar 8 12:11:27 rdifw01 sshd22906: pam_ldap: ldap_starttls_s: Connect error
Mar 8 12:11:27 rdifw01 sshd22906: pam_ldap: ldap_starttls_s: Connect error
Mar 8 14:14:01 rdifw01 sshd61612: pam_ldap: ldap_starttls_s: Connect error
Mar 8 14:14:02 rdifw01 sshd61612: pam_ldap: ldap_starttls_s: Connect error
.......
During boot, system gets stuck on the following code in auth.inc
function get_user_privileges(& $user) {
.....
if ($authcfg['type'] == "ldap") {
....
$allowed_groups = @ldap_get_groups($user['name'], $authcfg);
The system will keep trying to reach an inherently unreachable LDAP server behind IPSEC tunnel, which is only started after synchronizing user settings.
I have worked around this by moving the user sync and cron setup to below ipsec initialization in rc.bootup.
However dynamic routing is a bigger issue if required to reach the LDAP server, because FRR / Quagga will be started after rc.bootup is complete. I have to log on to GUI and start FRR ospf manually, and only then system will continue booting.
To me it just seems like an incredibly bad idea to make booting dependent upon network services the firewall is supposed to protect. But then again, I have only been designing software for the better part of 40 years, so what do I know. And if these dependencies are needed, at the very least the system should not try to reach these services indefinitely, but bail out after a reasonable period.