pfSense » pfSense Plus

We discovered that when one of our offices was offline we could not ssh to a firewall that used nss_ldap authentication. The connection would hang and then eventually fail with:

Connection closed by UNKNOWN port 65535

By running truss on the sshd process I was able to determine that it appears to be following ldap referrals and trying to contact all of the servers. Eventually it seems to hang trying to contact the AD server in the offline office and gets killed by an alarm:

91218: connect(8,{ AF_INET 10.X.X.X:636 },16) ERR#36 'Operation now in progress'
91218: poll({ 8/POLLOUT|POLLERR|POLLHUP },1,25000) ERR#4 'Interrupted system call'
91218: SIGNAL 14 (SIGALRM) code=SI_KERNEL

one thing I don't understand though is that earlier it tries to connect to that server but fails (as expected) with no route to host:

91218: socket(PF_INET,SOCK_STREAM,0) = 8 (0x8)
91218: fcntl(8,F_SETFD,FD_CLOEXEC) = 0 (0x0)
91218: setsockopt(8,SOL_SOCKET,SO_KEEPALIVE,0x358d312a2730,4) = 0 (0x0)
91218: setsockopt(8,IPPROTO_TCP,TCP_NODELAY,0x358d312a2730,4) = 0 (0x0)
91218: fcntl(8,F_GETFL,) = 2 (0x2)
91218: fcntl(8,F_SETFL,O_RDWR|O_NONBLOCK) = 0 (0x0)
91218: connect(8,{ AF_INET 10.X.X.X:636 },16) ERR#36 'Operation now in progress'
91218: poll({ 8/POLLOUT|POLLERR|POLLHUP },1,25000) = 1 (0x1)
91218: getpeername(8,0x358d312a25b0,0x358d312a2528) ERR#57 'Socket is not connected'
91218: read(8,0x358d312a252f,1) ERR#65 'No route to host'
91218: shutdown(8,2) ERR#57 'Socket is not connected'
91218: close(8) = 0 (0x0)

So why isn't it getting the no route to host message the second time? Perhaps it would but the timeout comes before that.

I also don't really understand why it is needed to follow referrals. But I was able to regain access by setting:

referrals no

in /var/etc/pam_ldap.conf. So I think it would be helpful to be able to set that via the pfSense configuration.

This is with 24.11-RELEASE (amd64)