OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 15.7 Legacy Series »
  • Ldap START_TLS Authentication
« previous next »
  • Print
Pages: [1]

Author Topic: Ldap START_TLS Authentication  (Read 3445 times)

romuloadmr

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Ldap START_TLS Authentication
« on: November 04, 2015, 12:15:27 am »
Hello everyone,

I would like use a Ldap database to authenticate users that will be acessing the internet through our Captive Portal in OPNSense

My Ldap Server only allows connections via START_TLS mechanism.

I have imported the CA Certificate into the OPNSense however the bind operation fails. I have checked the server logs and it seems like the Start_Tls operation fails for some reason.

Am i missing something here? Is it possible to use START_TLS or i should be using ldaps?

Thanks in advance!

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: Ldap START_TLS Authentication
« Reply #1 on: November 04, 2015, 08:02:01 am »
Is there any log message in the OPNsense logs? There must be some more info on why this fails. :)
Logged

romuloadmr

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Ldap START_TLS Authentication
« Reply #2 on: November 05, 2015, 11:49:22 am »
Thanks for the reply! xD

I did and i was'nt able to find any clue =(. However i started a new ldapserver for testing purposes and i was able to authenticate using Ldap over SSL (port 636), instead of standard tcp + Start_TLS.

However, for some reason Ldap users imported into the system are unable to authenticate against our Captive Portal. Authentication works fine for any local user.

I will keep digging into this...any help would be much appreciated.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: Ldap START_TLS Authentication
« Reply #3 on: November 05, 2015, 12:17:36 pm »
You can use https://firewall/diag_authentication.php to test login against the server.

There's a thread here which has a test server to try a remote RADIUS authentication: https://forum.opnsense.org/index.php?topic=686.msg2256#msg2256

I'll try to bring it back up for double-checking.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: Ldap START_TLS Authentication
« Reply #4 on: November 05, 2015, 12:33:51 pm »
I think imported users have scrambled passwords at the moment because it's not as easy to link them directly to LDAP...

The RADIUS test server is back up. :)
Logged

romuloadmr

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Ldap START_TLS Authentication
« Reply #5 on: November 06, 2015, 01:20:59 am »
Thanks for the info Franco!

Funny thing is...i can authenticate just fine using the diag tool against our ldap server..the test passes.

The problem arises when i import the users from Ldap to the User Manager and try to authenticate them against the Captive Portal...for me it seems like the passwords are messed up like  you pointed out.

Our team would like to use Ldap directly, right now Radius is not an option =(.

Anyway i think we will end up discussing the possibility of using Radius xD.

Thanks again!

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: Ldap START_TLS Authentication
« Reply #6 on: November 06, 2015, 01:03:47 pm »
We did just replace the GUI authentication backend with a pluggable alternative. I don't know what the plans are, but I could imagine this would allow us to maybe use LDAP directly now as well. I'll try to point Ad your way, he's working on the authentication side.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 15.7 Legacy Series »
  • Ldap START_TLS Authentication
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2