OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: loredo on October 01, 2019, 03:23:01 pm

Title: LDAPS authentication server certificate issue with Azure AD
Post by: loredo on October 01, 2019, 03:23:01 pm

Hello,

I am trying to add an LDAPS server to the list of authentication options in "System > Access > Servers". More precicely, it is the LDAPS server of Microsoft Azure AD (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps)).

This is working absolutely fine on a pfSense machine, users can authenticate in OpenVPN easily.

However, adding the server in OPNsense is a bit of a hassle. When testing the server, this is what the logfile says:

Code: [Select]

opnsense: LDAP bind error [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate),Can't contact LDAP server]
The certificate is a self-signed one, created by an internal Sub CA (it was done on the pfSense machine, same way you can do it on OPNsense). However, it seems OPNsense is unable to verify the trust chain for the server certificate while pfSense is.

I installed the entire trust chain into the OPNsense trust store so in general the certificates are there. It just seems that they are not being used.

Can someone help me to find out more and identify the root cause? I am running on latest version 19.7.4_1.


Thanks,
Julian

Title: Re: LDAPS authentication server certificate issue with Azure AD
Post by: loredo on October 02, 2019, 11:08:47 am

It might be an upstream problem in PHP:
https://bugs.php.net/bug.php?id=73558

Question: Can there be any workaround, e.g. not using LDAP_OPT_X_TLS_CACERTFILE as it is anyway not working as intended? Putting the configured certificates into the global trust store might work.

Title: Re: LDAPS authentication server certificate issue with Azure AD
Post by: loredo on October 02, 2019, 11:22:46 am

Okay, I found a proper workaround that would do, preferably https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php would do the same.

I created /root/.ldaprc with following content:

Code: [Select]

TLS_REQUIRE_CERT TLS_HARD
TLS_CACERTDIR /var/run/certs

I left out the explicit TLS_CACERTFILE cause that name is somewhat dynamic and I didn't want to hardcode it.
I'll open an issue on Github to consider this as an enhancement.

Title: Re: LDAPS authentication server certificate issue with Azure AD
Post by: Droppie391 on April 24, 2020, 01:56:17 pm

für eine AD Anbindung muss unter System-Sicherheit-Aussteller das Root- bzw. Chainzertifikat der AD Server importiert werden. Wir haben (weshalb weis ich nicht mehr) auch die Serverzertifikate dort hinterlegt. Vielleicht ist das dein problem?

Title: Re: LDAPS authentication server certificate issue with Azure AD
Post by: 0xDEADC0DE on May 17, 2020, 03:05:29 am

Droppie391

Can you give me more details? I cannot get it to work.
Did you use IP addresses or domain names? FQDNs?
Do you have the domain names in the certificate in alternative names or directly as CN?