Messages

[unboundplus]

Just wanted to add what I have observed which seems to be the same/similar issue:

• My original alias configuration (prior to update) persists in the config.xml file under the unboundplus node (as described by op)
• The alias configuration in config.xml is reflected in the unbound configuration file /var/unbound/host_entries.conf so everything is working normally
• I can add new alias entries via the web UI and these appear in the unbound config and resolve fine
• No alias entries (either the pre-existing ones or newly created entries) appear in the table in the web UI

The problem appears to only be cosmetic, the functionality of existing/new alias configuration still seems to work fine in unbound. Hopefully this helps clarify.

[TLS_REQCERT never]

Sorry I didn't articulate my last post very well...

Using LDAP (ie. no STARTTLS/SSL) = working fine
Using LDAPS with TLS_REQCERT never in ldap.conf = working fine

By default TLS_REQCERT = demand so if you don't explicitly use never (or always). Refer to https://www.openldap.org/software/man.cgi?query=ldap.conf which explains what these options do.

Anyways I managed to figure out where I was going wrong in OPNsense. Simply put I was specifying the public certificate of the LDAP server for OpenLDAP to use in validation instead of the root CA certificate. In other words, make sure you grab the entire certificate chain which you can get using:

Code Select Expand

openssl s_client -connect ldap.foxpass.com:636 -showcerts

Then in OPNsense use the root CA in the cert chain as the Peer Certificate Authority and it works perfectly fine.

I really should have read the tool tip more closely... Hopefully this helps someone else from making the same mistake

[TLS_REQCERT never]

Hello

Thanks for your replies. Unfortunately I'm trying to access a cloud based LDAP service so I don't have the luxury of VLANing off my LDAP traffic :( I took a look at the source code and tried to re-run the PHP commands in a CLI session on my own PC:

Code Select Expand

$ldaphost = "ldaps://ldap.example.com:636";
$ldapUsername = "uid=rosu,ou=Users,o=myorg,dc=example,dc=com";
$ldapPassword = "mypass";
$ldapBasedn = "o=myorg,dc=example,dc=com";
$ds = ldap_connect($ldaphost);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$bth = ldap_bind($ds, $ldapUsername, $ldapPassword);
$search = ldap_search($ds, $ldapBasedn, "(cn=*)");
echo ldap_count_entries($ds,$search);
$info = ldap_get_entries($ds, $search);
print_r($info);

Again it worked perfectly fine if I wasn't using SSL/STARTTLS, but this was to be expected as I hadn't specified the cert chain to validate. I created the ldap.conf file under C:\OpenLDAP\sysconf\ldap.conf and added TLS_REQCERT never which allowed LDAPS to work on my machine. I'll test specifying the certificate chain to validate in ldap.conf on my machine and see if it works.

I obtained the cert chain from the LDAPS service by using openssl:

Code Select Expand

openssl s_client -connect ldap.foxpass.com:636 -showcerts

So the cert chain used for validation should all be correct. If it works on my workstation clearly there is some sort of issue in opnsense performing the certificate validation. I'll let you know the results.

Hello all

Im trying to configure an LDAP server in OPNsense however I am receiving the error:
"LDAP bind error (Can't contact LDAP server)"

I am testing out Foxpass as an LDAP server and I've essentially followed this guide (for pfSense) to validate my config: https://foxpass.readme.io/docs/pfsense-ldap

I am using LDAPS and have setup the cert chain as a trusted authority on opnsense. Unfortunately I don't know where to look to get more verbose ldap logs.

I've also validated that i can connect to the directory using the same bind creds from an ldap client on my workstation. Not too sure what the issue is, if i could get access to some more descriptive logs that would be a great start.

I saw a post from a few weks ago where someone seemed to be reporting a similar issue using LDAPS although it wasnt clear what the underlying issue was so i thought id repost.

Cheers

Hi Franco

What I modified is basically as per the post I mentioned previously:

Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:

Code Select Expand

add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1

Modify /usr/local/etc/rc.ipfw to include the custom rules

Code Select Expand

# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
    /sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi

Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW

Code Select Expand

firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"

Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip

Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.

Hello

I'm using the HAProxy plugin and I needed to run it inline, in transparent mode. In order to make this work I had to add some IPFW rules and basically apply the modifications mentioned in this post: https://forum.opnsense.org/index.php?topic=2214.0

Of course the downside to this is that every update to OPNsense means that the changes need to be reapplied. I was wondering if anyone knew of a better way to make this work or could clarify the response from the previously mentioned post:

You probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.

Cheers