1
19.7 Legacy Series / LDAPS authentication server certificate issue with Azure AD
« on: October 01, 2019, 03:23:01 pm »
Hello,
I am trying to add an LDAPS server to the list of authentication options in "System > Access > Servers". More precicely, it is the LDAPS server of Microsoft Azure AD (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps).
This is working absolutely fine on a pfSense machine, users can authenticate in OpenVPN easily.
However, adding the server in OPNsense is a bit of a hassle. When testing the server, this is what the logfile says:
The certificate is a self-signed one, created by an internal Sub CA (it was done on the pfSense machine, same way you can do it on OPNsense). However, it seems OPNsense is unable to verify the trust chain for the server certificate while pfSense is.
I installed the entire trust chain into the OPNsense trust store so in general the certificates are there. It just seems that they are not being used.
Can someone help me to find out more and identify the root cause? I am running on latest version 19.7.4_1.
Thanks,
Julian
I am trying to add an LDAPS server to the list of authentication options in "System > Access > Servers". More precicely, it is the LDAPS server of Microsoft Azure AD (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps).
This is working absolutely fine on a pfSense machine, users can authenticate in OpenVPN easily.
However, adding the server in OPNsense is a bit of a hassle. When testing the server, this is what the logfile says:
Code: [Select]
opnsense: LDAP bind error [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate),Can't contact LDAP server]
The certificate is a self-signed one, created by an internal Sub CA (it was done on the pfSense machine, same way you can do it on OPNsense). However, it seems OPNsense is unable to verify the trust chain for the server certificate while pfSense is.
I installed the entire trust chain into the OPNsense trust store so in general the certificates are there. It just seems that they are not being used.
Can someone help me to find out more and identify the root cause? I am running on latest version 19.7.4_1.
Thanks,
Julian