OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: alone_k1 on August 09, 2018, 06:54:27 am
-
Respected OPNSense team,
there is a problem when i use LDAP with SSL-Encryption feature.
according to the following picture :
when i try to choose SSL-Encryption from System -> Servers -> Transport
(http://s9.picofile.com/file/8333968942/image_4_.png)
and after adding the certificate that is generated on the LDAP Server to the authorities part (System -> Trust -> Authorities); after adding user from the ldap directory and giving it the effective privileges, i tried to login , the first time i tried it work correctly but after restarting configd and login from dashboard i can't login anymore. when i check the logging section i get the following error:
(http://s8.picofile.com/file/8333969184/unnamed_1.png)
i tried running list_ciphers.py file and there isn't any problem with it:
(http://s8.picofile.com/file/8333969884/bb.jpg)
i also checked the ssl connection with LDAP server using openssl, and there isn't any problem with it either:
(http://s8.picofile.com/file/8333969992/image_5_.png)
i don't know what is wrong , may someone help me. it's very important for me, i'm working in an enterprise-level company and its necessary to make connection using SSL-Encryption.
thanks
-
Why do you get an error from Tinc when using LDAP for WebUI??? :o
-
i don't know, may you guide me to trace to the main problem i can't figure out which code causes the problem, while everything is fine
-
Have you restarted the firewall and tried again? I'm quite sure the logs have nothing to do with it
-
How is this related to Tutorial of FAQ?
Seems this topic needs to be moved to somewhere else.
-
is there any idea about this problem?
-
Have you restarted the firewall and tried again? I'm quite sure the logs have nothing to do with it
???
-
There wasn't any problem till i reset the firewall, and after that i couldn't login using LDAP defined username and password.
-
OK, and now you are locked? Or do you have access to Console? There was no upgrade to 18.7 involved since there changed something regarding auth?
-
no i set fallback as local system and i can login with root local-account, but i need to implement secure LDAP login.
PS:by default TCP-LDAP mode i can authorize and get access, but as i said, i need to implement in secure mode.
-
Just for testing:
Go to CLI and open /usr/local/etc/openldap/ldap.conf and add
TLS_REQCERT never
to the end.
Perhaps this help.
-
thank for the answer, how i can trace the main cause of problem, any detailed log or something related ?
-
Vial CLI:
clog -f /var/log/system.log
Then you log in and look for errors.
Does the ldap.conf foo work?
-
thank for the answer, how i can trace the main cause of problem, any detailed log or something related ?
hi, thanks for the answer,
ldap.conf file is all commented with #, is this something normal :
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
-
Yes, just add the line somewhere. On Linux this always works.
-
i get the following error:
"LDAP bind error (Can't contact LDAP server)"
-
trying to use SartTLS to see if it works or nor :|
-
trying to use SartTLS to see if it works or nor :|
i followed the following configuration:
https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
but it dosen't work either :|||
-
http://s9.picofile.com/d/8334218126/903a6e02-a042-47b6-ae56-f86e4567acf3/ldap.mp4
-
honesty, OPNSense is full of un-patched bugs
-
Was using ssl transport working prior to upgrade to 18.7?
If so, there have been some changes in how authentication is configured in 18.7 release as noted in the release notes. I think notes on these particular changes should have been towards the top of the notes and in Bold to bring better attention to them, but they are there none the less.
Check under System -> Administration -> Authentication and insure you have all your LDAP servers checked, and also select "Local Database" if you want local fallback.
Used to be that you could only select two items, primary and fallback.
Also there are some slight changes/additions in Secure Shell configuration, as well as Users Configuration that may need some attention if your upgrading from 18.1 to 18.7.
-
trying to use SartTLS to see if it works or nor :|
You should check through all your steps, as I have working SSL and had no issue switching to StartTLS using OPNsense 18.7.
I have been personally using ldaps:// since OPNsense version 15 with no unexpected issues.
Make sure your client url is supported by your certificate on the server as the IP and/or url should be configured in alt names or else it will fail security checks.
-
thanks, i'll check the entire of process again, as i did it for 4-5 times before.
-
trying to use SartTLS to see if it works or nor :|
You should check through all your steps, as I have working SSL and had no issue switching to StartTLS using OPNsense 18.7.
I have been personally using ldaps:// since OPNsense version 15 with no unexpected issues.
Make sure your client url is supported by your certificate on the server as the IP and/or url should be configured in alt names or else it will fail security checks.
cordel may you check your private messages please? i've sent you a private message asking about direct speaking, i need your help indeed ,
thanks