Marco Shmerykowsky
2020-Sep-15 15:33 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
I've been trying to setup OPENVPN on a Netgate appliance
running pfsense.
Initially, the authentication server I created appears
to function. A connection is made, the "bind" is completed
and the organizational units are fetched from the server
and returned.
A few minutes later - without making any changes -
the same test returns the following errors:
php-fpm 67757 /system_usermanager_settings.php: ERROR!
ldap_get_groups() could not bind to server ADS-server.
php-fpm 67757 /system_usermanager.php: ERROR! ldap_get_groups() could
not bind to server ADS-server.
I've tried restarting PHP-FPM and webconfigurator,
but that doesn't seem to solve the problem.
I've configured an authentication server as follows:
hostname: samba.internal.external.com
(This resolves to the IP with a hostname entry)
port: 636
Transport: SSL-Encrypted
Peer Certificate Authority: Samba-CA (imported from samba's ca.pem file)
Client Certificate: Samaba-server-cert (imported from samba's cert.pem
and key.pem files)
Protocol: 3
Server Timeout: 25
Search Scope: Entire Subtree
Base DN: DC=internal,DC=external,DC=com
Auth. Container: CN=Users,DC-internal,DC=external,DC=com
Enable Extended Query:
Query: memberof=CN=Domain
Users,CN=Users,DC-internal,DC=external,DC=com
Bind credentials:
user: CN=binduser,CN=Users,DC-internal,DC=external,DC=com
passwd: apassword
User naming attribute: samAccountName
Group naming attribute: cn
Group member attribute: memberof
This seems like it should be straight forward. What am I missing?
Thanks
--
Marco
Rowland penny
2020-Sep-15 15:42 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 15/09/2020 16:33, Marco Shmerykowsky via samba wrote:> I've been trying to setup OPENVPN on a Netgate appliance > running pfsense. > > Initially, the authentication server I created appears > to function.? A connection is made, the "bind" is completed > and the organizational units are fetched from the server > and returned. > > A few minutes later - without making any changes - > the same test returns the following errors: > > php-fpm???? 67757???? /system_usermanager_settings.php: ERROR! > ldap_get_groups() could not bind to server ADS-server. > php-fpm???? 67757???? /system_usermanager.php: ERROR! > ldap_get_groups() could not bind to server ADS-server. > > I've tried restarting PHP-FPM and webconfigurator, > but that doesn't seem to solve the problem. > > I've configured an authentication server as follows: > > hostname: samba.internal.external.com > ????????? (This resolves to the IP with a hostname entry) > port: 636 > Transport: SSL-Encrypted > Peer Certificate Authority: Samba-CA (imported from samba's ca.pem file) > Client Certificate: Samaba-server-cert (imported from samba's cert.pem > and key.pem files) > Protocol: 3 > Server Timeout: 25 > Search Scope: Entire Subtree > Base DN: DC=internal,DC=external,DC=com > Auth. Container: CN=Users,DC-internal,DC=external,DC=com > Enable Extended Query: > ? Query: memberof=CN=Domain Users,CN=Users,DC-internal,DC=external,DC=com > Bind credentials: > ? user: CN=binduser,CN=Users,DC-internal,DC=external,DC=com > ? passwd: apassword > User naming attribute: samAccountName > Group naming attribute: cn > Group member attribute: memberof > > This seems like it should be straight forward.? What am I missing? > > ThanksNot entirely sure, but 'Query: memberof=CN=Domain Users,CN=Users,DC-internal,DC=external,DC=com' is unlikely to work. All AD users are members of Domain Users, but not one of them has the 'memberof' attribute and the group object doesn't show any 'member' attributes. So if the users are being searched for as members of the Domain Users group by the 'memberof' attribute, I do not think it will work, try another group. Rowland
miguel medalha
2020-Sep-15 17:06 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
> Not entirely sure, but 'Query: memberof=CN=Domain > Users,CN=Users,DC-internal,DC=external,DC=com' is unlikely to work. All > AD users are members of Domain Users, but not one of them has the > 'memberof' attribute and the group object doesn't show any 'member' > attributes.> So if the users are being searched for as members of the Domain Users > group by the 'memberof' attribute, I do not think it will work, try > another group.Yes. I created a VPNusers group in AD. Also, isn't the use of SSL/Port 636 in LDAP deprecated? I am using STARTTLS/Port 389.
Marco Shmerykowsky
2020-Sep-15 17:12 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 2020-09-15 11:42 am, Rowland penny via samba wrote:> On 15/09/2020 16:33, Marco Shmerykowsky via samba wrote: >> I've been trying to setup OPENVPN on a Netgate appliance >> running pfsense. >> >> Initially, the authentication server I created appears >> to function.? A connection is made, the "bind" is completed >> and the organizational units are fetched from the server >> and returned. >> >> A few minutes later - without making any changes - >> the same test returns the following errors: >> >> php-fpm???? 67757???? /system_usermanager_settings.php: ERROR! >> ldap_get_groups() could not bind to server ADS-server. >> php-fpm???? 67757???? /system_usermanager.php: ERROR! >> ldap_get_groups() could not bind to server ADS-server. >> >> I've tried restarting PHP-FPM and webconfigurator, >> but that doesn't seem to solve the problem. >> >> I've configured an authentication server as follows: >> >> hostname: samba.internal.external.com >> ????????? (This resolves to the IP with a hostname entry) >> port: 636 >> Transport: SSL-Encrypted >> Peer Certificate Authority: Samba-CA (imported from samba's ca.pem >> file) >> Client Certificate: Samaba-server-cert (imported from samba's cert.pem >> and key.pem files) >> Protocol: 3 >> Server Timeout: 25 >> Search Scope: Entire Subtree >> Base DN: DC=internal,DC=external,DC=com >> Auth. Container: CN=Users,DC-internal,DC=external,DC=com >> Enable Extended Query: >> ? Query: memberof=CN=Domain >> Users,CN=Users,DC-internal,DC=external,DC=com >> Bind credentials: >> ? user: CN=binduser,CN=Users,DC-internal,DC=external,DC=com >> ? passwd: apassword >> User naming attribute: samAccountName >> Group naming attribute: cn >> Group member attribute: memberof >> >> This seems like it should be straight forward.? What am I missing? >> >> Thanks > > Not entirely sure, but 'Query: memberof=CN=Domain > Users,CN=Users,DC-internal,DC=external,DC=com' is unlikely to work. > All AD users are members of Domain Users, but not one of them has the > 'memberof' attribute and the group object doesn't show any 'member' > attributes. > > So if the users are being searched for as members of the Domain Users > group by the 'memberof' attribute, I do not think it will work, try > another group. > > RowlandI removed 'CN=Domain Users' from the query. I'm using the default tree that was created when I setup the samba AD, so I think I'm matching everything correctly: Active Directory Users and Computers (samba.internal.external.com) + Saved queries + internal.external.com + Users + binduser + john_doe + Jane_doe + Domain Users + Domain Guests + Computers + System + Builtin + Domain Controllers
miguel medalha
2020-Sep-15 17:13 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
> I've tried restarting PHP-FPM and webconfigurator, > but that doesn't seem to solve the problem.This must be done each time after you edit the configuration using the LDAP authentication setup page. Otherwise the changes won't stick. Before I knew this, I did suffer a lot trying to make it work and not understanding why it didn't.
Marco Shmerykowsky
2020-Sep-15 19:53 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 2020-09-15 1:13 pm, miguel medalha wrote:>> I've tried restarting PHP-FPM and webconfigurator, >> but that doesn't seem to solve the problem. > > This must be done each time after you edit the configuration using the > LDAP > authentication setup page. Otherwise the changes won't stick. Before I > knew > this, I did suffer a lot trying to make it work and not understanding > why it > didn't.Yea - I'm lost. I keep trying the same thing hoping for different results. I think that is the definition of insanity. I've tried: create new OU called VPNusers and a user within that call bind-user-1 Also created a user under Users called bind-user-2 then I set the following: extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com authentication container => OU=vpnusers,DC=internal,DC=external,DC=com bind user => CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com no go. Also tried: extended query => memberof=CN=users,DC=internal,DC=external,DC=com authentication container => CN=users,DC=internal,DC=external,DC=com bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com After each change I run options 16 (restart php-fpm) and 11 (restart webconfigurator) Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted Tried using "Global Root CA List & No Client Cert" and "Samba CA & cert/key" Keeps failing to bind.
Apparently Analagous Threads
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind