Ldap START_TLS Authentication

[romuloadmr]

Hello everyone,

I would like use a Ldap database to authenticate users that will be acessing the internet through our Captive Portal in OPNSense

My Ldap Server only allows connections via START_TLS mechanism.

I have imported the CA Certificate into the OPNSense however the bind operation fails. I have checked the server logs and it seems like the Start_Tls operation fails for some reason.

Am i missing something here? Is it possible to use START_TLS or i should be using ldaps?

Thanks in advance!

[franco]

Is there any log message in the OPNsense logs? There must be some more info on why this fails.

[romuloadmr]

Thanks for the reply! xD

I did and i was'nt able to find any clue =(. However i started a new ldapserver for testing purposes and i was able to authenticate using Ldap over SSL (port 636), instead of standard tcp + Start_TLS.

However, for some reason Ldap users imported into the system are unable to authenticate against our Captive Portal. Authentication works fine for any local user.

I will keep digging into this...any help would be much appreciated.

[franco]

You can use https://firewall/diag_authentication.php to test login against the server.

There's a thread here which has a test server to try a remote RADIUS authentication: https://forum.opnsense.org/index.php?topic=686.msg2256#msg2256

I'll try to bring it back up for double-checking.

[franco]

I think imported users have scrambled passwords at the moment because it's not as easy to link them directly to LDAP...

The RADIUS test server is back up.

[romuloadmr]

Thanks for the info Franco!

Funny thing is...i can authenticate just fine using the diag tool against our ldap server..the test passes.

The problem arises when i import the users from Ldap to the User Manager and try to authenticate them against the Captive Portal...for me it seems like the passwords are messed up like  you pointed out.

Our team would like to use Ldap directly, right now Radius is not an option =(.

Anyway i think we will end up discussing the possibility of using Radius xD.

Thanks again!

[franco]

We did just replace the GUI authentication backend with a pluggable alternative. I don't know what the plans are, but I could imagine this would allow us to maybe use LDAP directly now as well. I'll try to point Ad your way, he's working on the authentication side.