pfSense

What's your server timeout set to in the LDAP auth server settings? It should be defaulting to 25s, you can lower it to 5-10s if it usually responds fast.

I never set up any timeout anywhere. The point is it tries to look up a local user in LDAP, over and over again, causing errors on every page in the GUI. Never seen this before. Clearly caused by the clear notices stuff in head.inc.

$display_notices = false;
$allow_clear_notices = false;

if (are_notices_pending()) {
        // Evaluate user privs to determine if notices should be displayed, and if the user can clear them.
        $user_entry = getUserEntry($_SESSION['Username']);
        if (userHasPrivilege($user_entry, "user-view-clear-notices") || userHasPrivilege($user_entry, "page-all")) {
                $display_notices = true;
                $allow_clear_notices = true;
        } elseif (userHasPrivilege($user_entry, "user-view-notices")) {
                $display_notices = true;
        }
}

Nuked the above code, sanity restored. It's evil, get it out of the head.inc please. (Plus, get_user_privileges() obviously shouldn't be looking up local users in LDAP.)

Introduced by https://github.com/pfsense/pfsense/pull/3322

I made PR https://github.com/pfsense/pfsense/pull/3538 to cache group/priv information within get_user_privileges() in the same way it is done in getAllowedPages()
That should keep it happy to check if (userHasPrivilege()) without constantly going back to the (not responding) LDAP or RADIUS server.

Can you test and comment?

(Code changes needed for 2.3.3 should be similar to what is in the PR for 2.4)

Phillip Davis wrote:

(Code changes needed for 2.3.3 should be similar to what is in the PR for 2.4)

The patch applies "as is" without any problems on 2.3.3. Yes, it works (except for the warnings noise), commented on the PR. Thanks.

See PR https://github.com/pfsense/pfsense/pull/3539 for a bug in ldap_get_groups() where it can return something that is not an array or false. That should be fixed regardless, and I would have thought is causing issues when LDAP is down in certain ways/settings.

I added a commit to https://github.com/pfsense/pfsense/pull/3538 that checks the $allowed_groups actually is an array. That will silence the warnings noise.

And a little bit of code formatting.

All in a clean single commit now as Pull Request https://github.com/pfsense/pfsense/pull/3540

Can we just revert https://github.com/pfsense/pfsense/pull/3322 for 2.3.3? This non-issue with displayed notices that users cannot clear has been there for ages.

Yes, the easy fix is to revert 3322 from 2.3.3. The extra functionality is not that exciting!

And this issue should probably be set to target version 2.3.3 so that it shows up in the 2.3.3 open issues.

Change reverted from RELENG_2_3 and RELENG_2_3_3

Yep, usable again. Thanks.