Core: Users import fails if StartTLS Transport is configured on the LDAP Server

@gvecchicert the connect sequence was a bit different in the import page, https://github.com/opnsense/core/commit/58c3e6ccd9f33dcc543d39115352a48123fd5e18 should fix the issue

I will give it a try as soon as it will appear in the updates

thanks in advance, just let us know if it doesn't solve your issue and I'll reopen the issue (I can't test this myself with StartTLS at the moment)

Ok.
When do you think it will be released?

either in 19.7 (next month), or if @fichtner pulls it in earlier. you can also use opnsense-patch 58c3e6c to test before release.

either in 19.7 (next month), or if @fichtner pulls it in earlier. you can also use opnsense-patch 58c3e6c to test before release.

After patch, the issue persists.

This issue still exists in OPNsense 19.7.4_1-amd64

@lbr88 @gvecchicert can you try https://github.com/opnsense/core/commit/b2affd161dbc3c6e77b335767671162cf97cb964 (from https://github.com/opnsense/core/issues/3742)? It might be related.

Patch installed but issue persists:

Does the web gui need to be restarted?

@gvecchicert thanks for testing, a restart shouldn't be necessary, we probably have to wait for someone to replicate and do some more digging then. I don't see a reason why it won't work at the moment.

Anyway: how to restart web gui?

pluginctl -c webgui

should do the trick

thanks @AdSchellevis : I confirm that issue persists even after web gui restart.

Just applied the patch you mentioned and the issue persists:

Oct 9 14:39:31 | opnsense: Could not startTLS on ldap connection [,Can't contact LDAP server]
-- | --
Oct 9 14:39:02 | opnsense: Could not startTLS on ldap connection [,Can't contact LDAP server]

When setting it back to standard TCP (no tls/ssl) it works again.

If the issue only exists for the import form, but auth works like a charm (as mentioned in the issue), I have no idea at the moment. We should have to wait for someone with a setup and time to do some more detailed digging. We'll keep the issue open in the mean time.

i did some digging and it appears the auth.inc isn't aware of the StartTLS property like the LDAP.php is:
https://github.com/opnsense/core/blob/fb9e8a563e3c392887235467a3282f3531a451b9/src/etc/inc/auth.inc#L730

This return a ldaps:// url instead of a ldap:// which appears to be why it fails:
from the $ldap_server object:
["ldap_full_url"]=> string(30) "ldaps://ldap.jumpcloud.com:389"

from the authenticator object:
["ldapBindURL":"OPNsense\Auth\LDAP":private]=> string(29) "ldap://ldap.jumpcloud.com:389"
["useStartTLS":"OPNsense\Auth\LDAP":private]=> bool(true)

@lbr88 I totally seem to have missed this, let me prepare a patch to try.

--- /root/auth.inc  2019-10-09 15:43:25.245143000 +0000
+++ /usr/local/etc/inc/auth.inc 2019-10-09 15:44:23.532387000 +0000
@@ -724,7 +724,7 @@ function auth_get_authserver($name)
             if ($authcfg['name'] == $name) {
                 if ($authcfg['type'] == 'ldap' || $authcfg['type'] == 'ldap-totp') {
                     // let's try to avoid regenerating the ldap url in every function.
-                    if (strstr($authcfg['ldap_urltype'], "Standard")) {
+                    if (strstr($authcfg['ldap_urltype'], "Standard") || strstr($authcfg['ldap_urltype'], "StartTLS")) {
                         $authcfg['ldap_full_url'] = "ldap://";
                     } else {
                         $authcfg['ldap_full_url'] = "ldaps://";

seems to do the trick.

we probably better move the code out of auth.inc, ideally this part should also be handled via the ldap object, but since system_usermanager_import_ldap.php is the only consumer of the logic now, we best move it there.

ok, this https://github.com/opnsense/core/commit/c4fba1c62e1cf85538fe823e8d54067379d22d73 should fix it then.

opnsense-patch c4fba1c

Couldn't you allow the Auth\LDAP connect function be called without any parameters? From what i can see the setProperties function sets the ldapBindURL property when creating the instance from the authenticator factory, so a call to connect without any parameters could just use the properties already set within the object?
Just a thought, don't know the implications as i dont know the codebase.

Your patch c4fba1c works. Thank you.

@lbr88 that was my first idea as well, but the other caller (system_usermanager_settings_ldapacpicker.php) would still need to remap its post settings too in order to really have a single entry point. Maybe another day, thanks for confirming, closing the issue now.

I confirm patch works like a charm!