OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of stblassitude »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - stblassitude

Pages: [1]
1
23.1 Legacy Series / Re: IPv6 DHCP-PD: how do I set sla-len?
« on: March 23, 2023, 02:40:43 am »
So went to look a bit more, and suddently sla-len is set to 8, and I'm getting the appriopriate /64 on the LAN interface. Very weird.

I think a bit more documentation on the settings would be really helpful...

2
23.1 Legacy Series / IPv6 DHCP-PD: how do I set sla-len?
« on: March 23, 2023, 12:13:36 am »
I have successfully configured DHCPv6-PD, but my LAN interface is getting the full /56 from the PD, instead of breaking it down into multiple /64 for multiple LAN interfaces.

In a different FreeBSD-based install, I have this dhcp6c.conf:

Code: [Select]
interface em1 {
        send    ia-na   1;
        send    ia-pd   1;
        send    rapid-commit;
        script  "/root/bin/dhcp6cupdate";
};

id-assoc pd 1 {
        prefix ::/56 3600;
        prefix-interface br100 {
                sla-len 8; # break down /56 into /64
                sla-id 0;
        };
};

id-assoc na 1 {
};

The OpnSense generated dhcp6c.conf looks like this:

Code: [Select]
interface vlan02 {
  send ia-na 5; # request stateful address
  send ia-pd 5; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc na 5 { };
id-assoc pd 5 {
  prefix ::/64 infinity;
  prefix-interface vlan0.2774 {
    sla-id 0;
    sla-len 0;
  };
};

I can't seem to find any info on how to adjust sla-len.

3
19.1 Legacy Series / Re: Configuring LDAP server against Samba 4 DC
« on: July 11, 2019, 08:00:49 pm »
A small update: if I try to use the CA cert with ldapsearch, it doesn't work:

Code: [Select]
$ echo LDAPRC
/tmp/ldaprc
$ cat /tmp/ldaprc
TLS_CACERT /tmp/ca.cert
# TLS_REQCERT allow
$ ldapsearch -H ldaps://dc1.example.com -x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"
Enter LDAP Password:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Using the same ca.cert with openldap s_connect appears to work just fine:
Code: [Select]
$ openssl s_client -showcerts -connect dc1.example.com:636 -CAfile /tmp/ca.cert
CONNECTED(00000005)
depth=1 O = Samba Administration, OU = Samba - temporary autogenerated CA certificate, CN = DC1.example.com
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.example.com
verify return:1
---
Certificate chain
 0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=DC1.example.com
   i:/O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=DC1.example.com
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 859F9D207D57BFC43E14F695CCAC765D588D9E95E694CB7C917F9AD8EE22D717
    Session-ID-ctx:
    Master-Key: 01573B84ED6CFCF83D6E865600EA1ECBB547674A74752CC61208DCBB33D6CBA3F01F1AFB257504EFC006838BB4E7A599
    Start Time: 1562867827
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^C

I can't find any info on what a "misc. bad certificate" would be, so I continue to be stuck.

4
19.1 Legacy Series / Configuring LDAP server against Samba 4 DC
« on: July 10, 2019, 10:59:23 pm »
Hi,

I'm having a hard time configuring an LDAP server for my Samba 4 hosted DC. Here's what I've configured: In System > Access > Servers I've created an LDAP server:

Type: LDAP
Hostname: dc1.example.com
Port: 636
Transport: SSL
Peer CA: dc1 CA
Protocol: 3
Bind credentials: ldapbind@example.com
Search scope: Entire Subtree
Base DN: dn=example,dn=com
Authentication Containers: cn=users,dn=example,dn=com
Extended Query:
User naming attribute: sAMAccountName
Read Properties: checked
Synchronize groups: checked
Limit groups: nothing selected

The DNS works.

I've extracted the DC CA cert from the domain controller and added it to the CAs.

When I click Select on Authentication Containers, I get the popup, but without any entries.

I can query the LDAP server from the OPNsense machine with ldapsearch:

root@OPNsense:~ # echo TLS_REQCERT allow >.ldaprc
root@OPNsense:~ # ldapsearch -H ldaps://dc1.example.com-x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"

The tester only ever says "authentication failed". I found a couple of posts talking about LDAP logging, but I couldn't find it.

Any hints what I should fill into the form?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2