Archive > 20.1 Legacy Series

LDAP / self signed certificate

(1/2) > >>

tmbopn:
Hi,

Not sure if the following is a bug or a result of hardening.

I try to connect the OPNsense user authentication with an LDAP server and need to use a TLS connection since the OpenLDAP server does not provide the required fields with anonymous logon. I can reach the server but unfortunately the TLS connection does not connect since the LDAP server uses a self-signed certificate. The opnsense log shows:

opnsense: Could not startTLS on ldap connection [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate),Connect error]

I could not find a checkbox which allows to accept self signed certificates. Is there a work around (may be in the shell) to accept the certificate once to have it validated?

Thanks
  TMB

bartjsmit:
Try System, Trust, Certificates, Add

It would be better if you could use a shared CA.

Bart...

banym:
Most environments use self signed certificates for LDAP and ActiveDirectory.
There is nothing wrong but you need to trust the internal CA.

The best and safest way is to setup the trust within your organization with all devices.

tmbopn:

--- Quote from: bartjsmit on April 07, 2020, 09:48:10 am ---Try System, Trust, Certificates, Add

--- End quote ---

I already did this. When I configured LDAP I also imported manually the cerificate from the LDAP Server into OPNsense.

bartjsmit:
Do you have control over the LDAP server? Configure it with a certificate from a mutually trusted CA if you do.

If not, you could consider an LDAP proxy or slave server and set this up with a trusted cert.

Bart...

Navigation

[0] Message Index

[#] Next page