Regression #16474
open
No page assigned to this user
0%
Description
Hi team,I decided to help with the 25.11 beta testing and noticed an issue with LDAP authentication.
System logs:
2025-10-10T11:44:20.000Z php-fpm[92881]: /index.php: Successful login for user 'CLIPPED' from: 192.168.10.13 (LDAP/rpi5) 2025-10-10T11:44:20.000Z php-fpm[92881]: /index.php: Successful login for user 'CLIPPED' from: 192.168.10.13 (LDAP/rpi5) 2025-10-10T11:44:37.000Z php-fpm[92881]: /index.php: Successful login for user 'CLIPPED' from: 192.168.10.13 (LDAP/rpi5) 2025-10-10T11:44:37.000Z php-fpm[92881]: /index.php: Successful login for user 'CLIPPED' from: 192.168.10.13 (LDAP/rpi5) 2025-10-10T11:45:13.000Z php-fpm[592]: /pkg_mgr_installed.php: ERROR! ldap_get_groups() could not bind to server rpi5.
Randomly, I get kicked out of the GUI with the following message:
" No page assigned to this user! Click here to logout. "
The Diagnostics > Authentication tool works fine and confirms that I'm a member of the * pfsense_admins * group.
The * pfsense_admins * group has the following assigned privilege:
- WebCfg - All pages: Allow access to all pages (admin privilege)
Other details:
Running on SSL/TLS: Port 636
The exact same configuration worked fine in 24.11.
If you need more details or additional tests, I'll be glad to help
Updated by Jordan G about 2 months ago
Have you tested the same against pfSense+ 25.07.1?
Updated by Marcelo Cury about 2 months ago
Oh, my mistake.. I was running 25.07.1 and not 24.11, sorry.
Other details: (fixed):
Running on SSL/TLS: Port 636
The exact same configuration worked fine in 25.07.1.
If you need more details or additional tests, I'll be glad to help
Updated by Marcelo Cury 8 days ago
I was able to identify and temporarily work around the issue.
When TLS/SSL is disabled and the hostname is changed to its IP address, authentication works perfectly.
(I had to temporarily set samba setting to: ldap server require strong auth = no | in smb.conf for this test.)
As soon as I re-enable TLS/SSL, save the authentication server settings again, and used the SSH option 16 - Restart PHP-FPM and option 11 - Restart GUI, the problem immediately returns: authentication fails as mentioned above.
After further testing, I began to suspect a DNS-related issue inside pfSense.The authentication server is configured with the hostname rpi5.home.arpa because my pcaps to the server IP were empty.
There is already a domain override configured under DNS Resolver Domain: home.arpa
IP address: 192.168.255.253 (my internal DNS server)
When I opened this existing domain override entry, made no changes, simply clicked Save and then Apply Changes, authentication started working again immediately and has remained stable since then.
It appears that pfSense somehow loses or fails to properly apply the DNS domain override for LDAP hostname resolution until the override entry is re-saved, but this only happens after a system update, in this case 25.07.1 to 25.11 RC (latest RC, tried a new update today).
Re-saving the entry (even without modifications) forces pfSense to refresh its internal DNS resolution cache for the authentication container, which resolves the problem.
Let me know if you need any additional logs or if I can help test a potential fix.
Thanks!!
Updated by Marcelo Cury 8 days ago
Spoke too soon.
No page assigned to this user is now appearing, which indicates that the problem is no longer DNS or a connectivity problem between pfSense and LDAP server, but a problem with groups in pfSense.
Note that this is a working config since it was running perfectly in 25.07.1.
Did more two actions and now testing to confirm results.
1- Edited the pfsense_admins group and saved, no changes, just edit/save.
2- In System/User Manager/Settings, set Auth Refresh Time to 3600, save, then erase and leave default, save again.
I'll update this in case I see something new after a few days of testing.
Updated by Marcelo Cury 8 days ago
You can close this incident..
Changed from posixgroup to group and that is it...
It works in 25.07.1, but with 25.11 not.
Anyway,thanks!!