"
I changed to OpenSSL. It even worked without a reboot, so there was no downtime involved when I did it.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
21.7 Legacy Series / Re: SSL Certificates signing | Error 500
September 01, 2021, 03:55:13 PM
Yes I read that. But is there a workaround that does NOT require a reboot? This is our main gateway - i cannot do it now as it drops about 50 VPN connections not to speak of the phone / video conferences... :(
#3
21.7 Legacy Series / Re: SSL Certificates signing | Error 500
September 01, 2021, 03:48:42 PM
Same applies to me. Is there an immediate fix for it?
#4
19.7 Legacy Series / Re: LDAP and TOTP
November 14, 2019, 04:11:07 PM
Yes, this is what I referred to with
In this case it was working as expected, when I tested it. Removing the test user from the AD group -> tester fails. Adding him -> Tester passes.
Quote
You apply a extended search filter for the LDAP query in the authentication server (without TOTP).
In this case it was working as expected, when I tested it. Removing the test user from the AD group -> tester fails. Adding him -> Tester passes.
#5
19.7 Legacy Series / Re: LDAP and TOTP
November 14, 2019, 02:26:09 PM
I think the issue is the same as described here: https://github.com/opnsense/core/issues/2818#issuecomment-430252059
I think there is a high risk of misconception:
Imagine you are an fw admin:
Now you want LDAP + TOTP mode:
When changing to LDAP + TOTP mode, your expectation is that the the extended LDAP query behavior is the same as before. (there is no obvious reason that it's not the case).
In fact you lost the ability to manage the users in one place by their LDAP group assignments.
This an unexpected change in behavior which is neither obvious, nor documented!
Nevertheless, now as I know it, i think I can live with it and I am happy to have MFA running with OpenVPN which is way more than I expected.
I think there is a high risk of misconception:
Imagine you are an fw admin:
- You apply a extended search filter for the LDAP query in the authentication server (without TOTP).
- You test it, and it works as expected: Removing the user from the VnpUsers group (in the LDAP) has the consequence that the user can no longer use VPN.
Now you want LDAP + TOTP mode:
- You have to import the user (to assign him a certificate + OTP seed).
- On import you only see users in the VpnUsers ldap group, as expected
When changing to LDAP + TOTP mode, your expectation is that the the extended LDAP query behavior is the same as before. (there is no obvious reason that it's not the case).
In fact you lost the ability to manage the users in one place by their LDAP group assignments.
This an unexpected change in behavior which is neither obvious, nor documented!
Nevertheless, now as I know it, i think I can live with it and I am happy to have MFA running with OpenVPN which is way more than I expected.
#6
19.7 Legacy Series / Re: LDAP and TOTP
November 14, 2019, 11:56:38 AMI suppose it has to do with group membership not updating/synchronizing correctly. I got it working by dropping the server and recreating it without the ldap group check.
Then I later came accross another issue:
- I now have an extended query &(memberOf=CN=VpnUsers,CN=Users,DC=my,DC=domain,DC=com)
- Server has group membership sync switched on
- A local group with the same name exists
- LDAP user Import is showing only allowed users -> fine
- LDAP + OTP working ->fine
But I my test user is no longer a member of the group in the AD, he is STILL able to log in successfully.
Is group membership only mapped on the first import from LDAP? When is synchronization supposed to happen?
#7
19.7 Legacy Series / Re: LDAP and TOTP
November 13, 2019, 05:02:24 PM
Hi Franco,
So my assumption is correct, that the local account is matched against the ldap account? That means seed comes from the local account, whereas the authentication will be done against the LDAP?
How can I check whether there is a mismatch between local / remote user? How are they matched? Is there anything I can check on the shell? Or any kind of verbose logging?
regards
Andreas
So my assumption is correct, that the local account is matched against the ldap account? That means seed comes from the local account, whereas the authentication will be done against the LDAP?
How can I check whether there is a mismatch between local / remote user? How are they matched? Is there anything I can check on the shell? Or any kind of verbose logging?
regards
Andreas
#8
19.7 Legacy Series / LDAP and TOTP
November 13, 2019, 02:27:37 PM
Hi,
I would like to setup OpenVPN with Authentication against an LDAP (Samba 4 DC) and TOTP.
- I tested successfully with a local created account (following the documentation) -> With success
- I tested successfully with a local account + TOTP (following the documentation) -> With success
- I tested successfully with an LDAP user without OTP -> With success
Just LDAP + TOTP is not working. This is what I did:
- I created a "LDAP + Timebased One Time Password" access server with the exact same ldap settings like the one without that i know worked in previous tests without OTP.
- Now, how to assign an OTP seed? I googled and found this post: https://forum.opnsense.org/index.php?topic=11882.msg66184#msg66184 where is mentioned, that you have to import the users from the LDAP to Opnsense. I did import my test user and assigned him a seed and scanned the QR code.
- I keep trying to test it with the authentication tester - without success. I tried the ldap + otp server (I think this is still what I want). It just won't accept my password + otp
Is my understanding correct, that OPNSense takes the seed from the local account (that was imported from ldap), but still does the authentication against the original LDAP? How does it map the user name ? samaccountname vs local name?
Thx Andreas
I would like to setup OpenVPN with Authentication against an LDAP (Samba 4 DC) and TOTP.
- I tested successfully with a local created account (following the documentation) -> With success
- I tested successfully with a local account + TOTP (following the documentation) -> With success
- I tested successfully with an LDAP user without OTP -> With success
Just LDAP + TOTP is not working. This is what I did:
- I created a "LDAP + Timebased One Time Password" access server with the exact same ldap settings like the one without that i know worked in previous tests without OTP.
- Now, how to assign an OTP seed? I googled and found this post: https://forum.opnsense.org/index.php?topic=11882.msg66184#msg66184 where is mentioned, that you have to import the users from the LDAP to Opnsense. I did import my test user and assigned him a seed and scanned the QR code.
- I keep trying to test it with the authentication tester - without success. I tried the ldap + otp server (I think this is still what I want). It just won't accept my password + otp
Is my understanding correct, that OPNSense takes the seed from the local account (that was imported from ldap), but still does the authentication against the original LDAP? How does it map the user name ? samaccountname vs local name?
Thx Andreas
Pages1
