Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - stblassitude

Pages1
#1
23.1 Legacy Series / Re: IPv6 DHCP-PD: how do I set sla-len?
March 23, 2023, 02:40:43 AM
So went to look a bit more, and suddently sla-len is set to 8, and I'm getting the appriopriate /64 on the LAN interface. Very weird.

I think a bit more documentation on the settings would be really helpful...
#2
23.1 Legacy Series / IPv6 DHCP-PD: how do I set sla-len?
March 23, 2023, 12:13:36 AM
I have successfully configured DHCPv6-PD, but my LAN interface is getting the full /56 from the PD, instead of breaking it down into multiple /64 for multiple LAN interfaces.

In a different FreeBSD-based install, I have this dhcp6c.conf:

Code Select

interface em1 {
        send    ia-na   1;
        send    ia-pd   1;
        send    rapid-commit;
        script  "/root/bin/dhcp6cupdate";
};

id-assoc pd 1 {
        prefix ::/56 3600;
        prefix-interface br100 {
                sla-len 8; # break down /56 into /64
                sla-id 0;
        };
};

id-assoc na 1 {
};


The OpnSense generated dhcp6c.conf looks like this:

Code Select

interface vlan02 {
  send ia-na 5; # request stateful address
  send ia-pd 5; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc na 5 { };
id-assoc pd 5 {
  prefix ::/64 infinity;
  prefix-interface vlan0.2774 {
    sla-id 0;
    sla-len 0;
  };
};


I can't seem to find any info on how to adjust sla-len.
#3
19.1 Legacy Series / Re: Configuring LDAP server against Samba 4 DC
July 11, 2019, 08:00:49 PM
A small update: if I try to use the CA cert with ldapsearch, it doesn't work:

Code Select

$ echo LDAPRC
/tmp/ldaprc
$ cat /tmp/ldaprc
TLS_CACERT /tmp/ca.cert
# TLS_REQCERT allow
$ ldapsearch -H ldaps://dc1.example.com -x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"
Enter LDAP Password:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Using the same ca.cert with openldap s_connect appears to work just fine:
Code Select

$ openssl s_client -showcerts -connect dc1.example.com:636 -CAfile /tmp/ca.cert
CONNECTED(00000005)
depth=1 O = Samba Administration, OU = Samba - temporary autogenerated CA certificate, CN = DC1.example.com
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.example.com
verify return:1
---
Certificate chain
0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=DC1.example.com
   i:/O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=DC1.example.com
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 859F9D207D57BFC43E14F695CCAC765D588D9E95E694CB7C917F9AD8EE22D717
    Session-ID-ctx:
    Master-Key: 01573B84ED6CFCF83D6E865600EA1ECBB547674A74752CC61208DCBB33D6CBA3F01F1AFB257504EFC006838BB4E7A599
    Start Time: 1562867827
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^C


I can't find any info on what a "misc. bad certificate" would be, so I continue to be stuck.
#4
19.1 Legacy Series / Configuring LDAP server against Samba 4 DC
July 10, 2019, 10:59:23 PM
Hi,

I'm having a hard time configuring an LDAP server for my Samba 4 hosted DC. Here's what I've configured: In System > Access > Servers I've created an LDAP server:

Type: LDAP
Hostname: dc1.example.com
Port: 636
Transport: SSL
Peer CA: dc1 CA
Protocol: 3
Bind credentials: ldapbind@example.com
Search scope: Entire Subtree
Base DN: dn=example,dn=com
Authentication Containers: cn=users,dn=example,dn=com
Extended Query:
User naming attribute: sAMAccountName
Read Properties: checked
Synchronize groups: checked
Limit groups: nothing selected

The DNS works.

I've extracted the DC CA cert from the domain controller and added it to the CAs.

When I click Select on Authentication Containers, I get the popup, but without any entries.

I can query the LDAP server from the OPNsense machine with ldapsearch:

root@OPNsense:~ # echo TLS_REQCERT allow >.ldaprc
root@OPNsense:~ # ldapsearch -H ldaps://dc1.example.com-x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"

The tester only ever says "authentication failed". I found a couple of posts talking about LDAP logging, but I couldn't find it.

Any hints what I should fill into the form?
Pages1