Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
LDAP / self signed certificate
« previous
next »
Print
Pages: [
1
]
Author
Topic: LDAP / self signed certificate (Read 4399 times)
tmbopn
Newbie
Posts: 4
Karma: 0
LDAP / self signed certificate
«
on:
April 07, 2020, 08:22:15 am »
Hi,
Not sure if the following is a bug or a result of hardening.
I try to connect the OPNsense user authentication with an LDAP server and need to use a TLS connection since the OpenLDAP server does not provide the required fields with anonymous logon. I can reach the server but unfortunately the TLS connection does not connect since the LDAP server uses a self-signed certificate. The opnsense log shows:
opnsense: Could not startTLS on ldap connection [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate),Connect error]
I could not find a checkbox which allows to accept self signed certificates. Is there a work around (may be in the shell) to accept the certificate once to have it validated?
Thanks
TMB
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: LDAP / self signed certificate
«
Reply #1 on:
April 07, 2020, 09:48:10 am »
Try System, Trust, Certificates, Add
It would be better if you could use a shared CA.
Bart...
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: LDAP / self signed certificate
«
Reply #2 on:
April 07, 2020, 11:54:15 am »
Most environments use self signed certificates for LDAP and ActiveDirectory.
There is nothing wrong but you need to trust the internal CA.
The best and safest way is to setup the trust within your organization with all devices.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
tmbopn
Newbie
Posts: 4
Karma: 0
Re: LDAP / self signed certificate
«
Reply #3 on:
April 07, 2020, 12:56:30 pm »
Quote from: bartjsmit on April 07, 2020, 09:48:10 am
Try System, Trust, Certificates, Add
I already did this. When I configured LDAP I also imported manually the cerificate from the LDAP Server into OPNsense.
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: LDAP / self signed certificate
«
Reply #4 on:
April 07, 2020, 01:11:24 pm »
Do you have control over the LDAP server? Configure it with a certificate from a mutually trusted CA if you do.
If not, you could consider an LDAP proxy or slave server and set this up with a trusted cert.
Bart...
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: LDAP / self signed certificate
«
Reply #5 on:
April 08, 2020, 10:36:21 am »
You need to import the root certificate, not the server certificate.
If it's really self signed this wont work. You need min a private pki
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
tmbopn
Newbie
Posts: 4
Karma: 0
Re: LDAP / self signed certificate
«
Reply #6 on:
April 08, 2020, 12:08:40 pm »
Thank's for the comments which triggered that I had to learn a bit more about the Certificate Authority. I created one in OPNsense and created also a server certificate - both self signed. Then I exported the server certificate and imported it to the LDAP server. Now it works.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: LDAP / self signed certificate
«
Reply #7 on:
April 08, 2020, 01:57:32 pm »
As far as I remember a self-signed certificate works, but it needs to be added under System: Trust: Authorities, not Certificates.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
LDAP / self signed certificate