LDAP / self signed certificate

Started by tmbopn, April 07, 2020, 08:22:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 07, 2020, 08:22:15 AM
Hi,

Not sure if the following is a bug or a result of hardening.

I try to connect the OPNsense user authentication with an LDAP server and need to use a TLS connection since the OpenLDAP server does not provide the required fields with anonymous logon. I can reach the server but unfortunately the TLS connection does not connect since the LDAP server uses a self-signed certificate. The opnsense log shows:

opnsense: Could not startTLS on ldap connection [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate),Connect error]

I could not find a checkbox which allows to accept self signed certificates. Is there a work around (may be in the shell) to accept the certificate once to have it validated?

Thanks
  TMB
April 07, 2020, 09:48:10 AM #1
Try System, Trust, Certificates, Add

It would be better if you could use a shared CA.

Bart...
April 07, 2020, 11:54:15 AM #2
Most environments use self signed certificates for LDAP and ActiveDirectory.
There is nothing wrong but you need to trust the internal CA.

The best and safest way is to setup the trust within your organization with all devices.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
April 07, 2020, 12:56:30 PM #3
Quote from: bartjsmit on April 07, 2020, 09:48:10 AM
Try System, Trust, Certificates, Add

I already did this. When I configured LDAP I also imported manually the cerificate from the LDAP Server into OPNsense.
April 07, 2020, 01:11:24 PM #4
Do you have control over the LDAP server? Configure it with a certificate from a mutually trusted CA if you do.

If not, you could consider an LDAP proxy or slave server and set this up with a trusted cert.

Bart...
April 08, 2020, 10:36:21 AM #5
You need to import the root certificate, not the server certificate.
If it's really self signed this wont work. You need min a private pki
April 08, 2020, 12:08:40 PM #6
Thank's for the comments which triggered that I had to learn a bit more about the Certificate Authority. I created one in OPNsense and created also a server certificate - both self signed. Then I exported the server certificate and imported it to the LDAP server. Now it works.

April 08, 2020, 01:57:32 PM #7
As far as I remember a self-signed certificate works, but it needs to be added under System: Trust: Authorities, not Certificates.


Cheers,
Franco
Print
Go Up Pages1
User actions