dear Diego, I would also like to give you the result of the actions you recommend + the Google Workspace logs:
Stunnel in the stunnel.conf file I entered the following configuration: [ldap] client = yes accept = 127.0.0.1:1636 connect = ldap.google.com:636 cert = C:\tmp\cert\Google_2025_05_24_39655.crt key = C:\tmp\cert\Google_2025_05_24_39655.key and these are the logs: 2022.06.03 15:39:56 LOG5[main]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2022.06.03 15:39:56 LOG5[main]: UTF-8 byte order mark detected 2022.06.03 15:39:56 LOG5[main]: FIPS mode disabled 2022.06.03 15:39:56 LOG4[main]: Service [ldap] needs authentication to prevent MITM attacks 2022.06.03 15:39:57 LOG5[main]: Configuration successful it seems to me that it is ok JXplorer In Security \ Client Certificates \ add Certificate \ I gave the Google Workspace certificate file and a name and then the default password which is "passphrase" Then I selected the imported certificate and clicked on Set Private Key \ and I gave the Google Worksapce key file and then the default password which is "passphrase" I clicked on the "Connect to DSA" button I set up the fields as follows: host: ldap.google.com port: 636 Protocol: LDAP v3 Base DN: ou = Users, dc = school name, dc = edu, dc = it Level: SSL + User + Password User DN: username of credentials generated with LDAP clients in Google Worksapce Password: password of the credentials generated with the LDAP client in Google Worksapce. I get the following error: Error opening connection: ldap.google.com:636 error details javax.naming.CommunicationException: ldap.google.com:636 [Root exception is java.net.ConnectException: Connection timed out: connect] at com.sun.jndi.ldap.Connection.<init>(Unknown Source) at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source) at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) at javax.naming.InitialContext.init(Unknown Source) at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) at com.ca.commons.jndi.JNDIOps.openContext(JNDIOps.java:529) at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:123) at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55) at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:59) at com.ca.commons.naming.DXOps.<init>(DXOps.java:41) at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46) at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:477) at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422) at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396) at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200) at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913) at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165) at java.lang.Thread.run(Unknown Source) Caused by: java.net.ConnectException: Connection timed out: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.<init>(Unknown Source) at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source) at com.ca.commons.security.JXSSLSocketFactory.createSocket(JXSSLSocketFactory.java:517) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.sun.jndi.ldap.Connection.createSocket(Unknown Source) ... 26 more Google Workspace logs \ reporting \ audit and investigation \ LDAP log events PREMISE: pippo.franco@school name.edu.it is the user of the directory with which I am trying to log in to the captive portal on a device connected to the inline wifi network. BlankDogue is the username of the credentials generated with the ldap client 2022-06-03T17:11:19+02:00 Association failed LDAP bind with uid=pippo.franco,ou=Users,dc=school name,dc=edu,dc=it failed with INVALID_CREDENTIALS. 3 PF ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com 3 0 0 53729df6-6fe4-44a2-a4f9-10a4fc28e94e uid=pippo.franco,ou=Users,dc=school name,dc=edu,dc=it INVALID_CREDENTIALS 2022-06-03T17:11:18+02:00 Successful search LDAP search with (uid=pippo.franco) successful. 2 PF ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com ou=Users,dc=school name,dc=edu,dc=it false 0 0 (uid=pippo.franco) WHOLE_SUBTREE 53729df6-6fe4-44a2-a4f9-10a4fc28e94e DEREF_FINDING_BASE_OBJ SUCCESS dn 2022-06-03T17:11:18+02:00 Successful association LDAP bind with BlankDogue successful. 1 PF ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com 3 0 0 53729df6-6fe4-44a2-a4f9-10a4fc28e94e BlankDogue SUCCESS 2022-06-03T17:11:18+02:00 Successful association LDAP bind with "" successful. 0 PF ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com 3 0 0 53729df6-6fe4-44a2-a4f9-10a4fc28e94e SUCCESS Thanks Da: leonardo.izzo--- via PacketFence-users <packetfence-users@lists.sourceforge.net> Inviato: venerdì 3 giugno 2022 12:22 A: 'Diego Garcia del Rio' <garc...@gmail.com>; packetfence-users@lists.sourceforge.net Cc: leonardo.i...@itsinformatica.it Oggetto: [PacketFence-users] R: Setting up a local source with Google Workspace Hello Diego, in the meantime, thanks for the reply. In the 'Username Attribute' field, I entered 'uid' and in BaseDN I entered ou = Users, dc = myschool, dc = edu, dc = it as you suggested. By clicking on the 'Test' button you get the result positive, so the indicated parameters are probably correct. On my pf server configured in inline mode, I created a connection profile having as source the local source configured with Google Workspace tested correctly. In the captive portal that appears on the client side in the wifi on the inline network, I enter the credentials of a Google Workspace user, but unfortunately the error "Invalid login or password" comes out despite these credentials are correct (id: usern...@schoolname.edu <mailto:usern...@schoolname.edu> . It and password). How come? A thousand thanks Da: Diego Garcia del Rio <garc...@gmail.com <mailto:garc...@gmail.com> > Inviato: giovedì 2 giugno 2022 10:48 A: packetfence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > Cc: leonardo.i...@itsinformatica.it <mailto:leonardo.i...@itsinformatica.it> Oggetto: Re: [PacketFence-users] Setting up a local source with Google Workspace most of the defaults should work. For the username Attribute, 'uid' should work. when you click on the "test" button for the bindDn and password, does it work? make sure the ldap service is enabled as well (not just the credentials generated). Its quite annoying as its not readily evident you havent enabled the service Also, using "stunnel" (for certificate-based SSL tunneling to google) and an ldap browser such as "jExplorer" you can test and see if you can browse the ldap tree, make sure the credentials are ok, etc.. The bindDN is "just" the username, like "jdoe" but the BaseDN needs to have the prefix "ou=Users" such as the following: ou=Users,dc=myschool,dc=edu,dc=ar cheers! On Sun, May 29, 2022 at 1:43 PM leonardo.izzo--- via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > wrote: Hello everyone, I have some doubts regarding some fields of the source in question. In 'Bind DN' and 'Password' I have to enter the credentials generated by the Google Workspace console -> Authentication section -> "Generate new credentials". Quite right? In the 'Base DN' field I have entered the customer's domain in DN format, i.e. the domain is schoolname.edu.it <http://schoolname.edu.it> so in this field I have entered the string: dc = schoolname, dc = edu, dc = it. Quite right? 'Host' = ldap.google.com <http://ldap.google.com> on SSL port 636 'SSL Verify Mode' = none 'Dead duration' = 60 'Connection timeout' = 1 'Request timeout' = 5 'Response timeout' = 10 'Scope' = Subtree 'Search Attributes' = null 'Append search attributes' = null 'Email Attribute' = mail 'Cache match' = off 'Monitor' = on 'Shuffle' = off 'Associated Realms' = nothing Also I wanted to know what to put in the 'Username Attribute' field. Thanks _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users