Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Tasagore

#1
Hi

Newbie question...

I've a domain controller (Windows 2025 Server) and an OPNsense configured with UnboundDNS and Steve Block List as blacklist.

In the DC I've configured the OPNsense as external resolver and all the clients uses the DC DNS (setup by DHCP).

All works fine but when I take a look to the UnboundDNS reports all traffic comes from my DC and I need to know who's trying to access to blocked sites. Also if I want to override then blocklist for some specific workstation probably I couldn't since all the request come from the same computer (DC).

So I guess I should configure the DHCP server to assign then OPNsense as DNS resolver but how I must configure UnboundDNS to use the DC DNS first to resolve the internal requests?

Thanks
#3
Quote from: Patrick M. Hausen on January 03, 2025, 04:26:27 PMAre you using LDAP (port 389) or LDAPS (port 636)? If not the latter, why not?
I'm using LDAP (389) since it's how the AD server it's (apparently) configured.

Locally using bind with credentials works ok without SSL, simple bind is what fails and I guess that's the bind mode OPNSense is using.

I'm trying to setup with SSL but now the connection to the server fails (ldap_error: Can't contact LDAP server), I'm taking a look to the AD configuration in the Windows side.
#4
Hi

I have a Windows Server 2025 as AD, the server has the policy Network security: LDAP client signing requirements as undefined (I've also tried with disabled), the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity has the value 1, so all seems to be configured to accept LDAP binding without SSL/TLS.

In OPNSense I configure all the LDAP settings but when I test the connection it shows this error:

The following input errors were detected:
Authentication failed.
error: 00002028: LdapErr: DSID-0C090343, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4
ldap_error: Strong(er) authentication required

Probably it's a Windows Server issue but I can't find how to solve it, seems that MS has disable the simple bind since when I try that from the server the same error appears (it works if I use bind with credentials).

Any idea?