Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
Ldap START_TLS Authentication
« previous
next »
Print
Pages: [
1
]
Author
Topic: Ldap START_TLS Authentication (Read 7323 times)
romuloadmr
Newbie
Posts: 4
Karma: 0
Ldap START_TLS Authentication
«
on:
November 04, 2015, 12:15:27 am »
Hello everyone,
I would like use a Ldap database to authenticate users that will be acessing the internet through our Captive Portal in OPNSense
My Ldap Server only allows connections via START_TLS mechanism.
I have imported the CA Certificate into the OPNSense however the bind operation fails. I have checked the server logs and it seems like the Start_Tls operation fails for some reason.
Am i missing something here? Is it possible to use START_TLS or i should be using ldaps?
Thanks in advance!
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Ldap START_TLS Authentication
«
Reply #1 on:
November 04, 2015, 08:02:01 am »
Is there any log message in the OPNsense logs? There must be some more info on why this fails.
Logged
romuloadmr
Newbie
Posts: 4
Karma: 0
Re: Ldap START_TLS Authentication
«
Reply #2 on:
November 05, 2015, 11:49:22 am »
Thanks for the reply! xD
I did and i was'nt able to find any clue =(. However i started a new ldapserver for testing purposes and i was able to authenticate using Ldap over SSL (port 636), instead of standard tcp + Start_TLS.
However, for some reason Ldap users imported into the system are unable to authenticate against our Captive Portal. Authentication works fine for any local user.
I will keep digging into this...any help would be much appreciated.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Ldap START_TLS Authentication
«
Reply #3 on:
November 05, 2015, 12:17:36 pm »
You can use
https://firewall/diag_authentication.php
to test login against the server.
There's a thread here which has a test server to try a remote RADIUS authentication:
https://forum.opnsense.org/index.php?topic=686.msg2256#msg2256
I'll try to bring it back up for double-checking.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Ldap START_TLS Authentication
«
Reply #4 on:
November 05, 2015, 12:33:51 pm »
I think imported users have scrambled passwords at the moment because it's not as easy to link them directly to LDAP...
The RADIUS test server is back up.
Logged
romuloadmr
Newbie
Posts: 4
Karma: 0
Re: Ldap START_TLS Authentication
«
Reply #5 on:
November 06, 2015, 01:20:59 am »
Thanks for the info Franco!
Funny thing is...i can authenticate just fine using the diag tool against our ldap server..the test passes.
The problem arises when i import the users from Ldap to the User Manager and try to authenticate them against the Captive Portal...for me it seems like the passwords are messed up like you pointed out.
Our team would like to use Ldap directly, right now Radius is not an option =(.
Anyway i think we will end up discussing the possibility of using Radius xD.
Thanks again!
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Ldap START_TLS Authentication
«
Reply #6 on:
November 06, 2015, 01:03:47 pm »
We did just replace the GUI authentication backend with a pluggable alternative. I don't know what the plans are, but I could imagine this would allow us to maybe use LDAP directly now as well. I'll try to point Ad your way, he's working on the authentication side.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.7 Legacy Series
»
Ldap START_TLS Authentication