trouble connecting to ldap ssl 636

Started by thorstensd, July 06, 2020, 08:31:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 06, 2020, 08:31:37 AM Last Edit: July 08, 2020, 08:56:55 AM by thorstensd
Hello,

I`m having trouble to connect to my Active Directory with LDAP over SSL on Port 636:

opnsense: LDAP bind error [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate),Can't contact LDAP server]

I was copying the certificate given by
openssl s_client -connect ad.domain.intern:636 -showcerts

to system->trust->authorities-> add -> certificate data

Still the same problem. After hours of googling and testing, I do not have any further ideas where the problem comes from.

My used Version is 20.1.3

Any help would be appreciated.

Best regards, Thorsten
July 08, 2020, 09:13:56 AM #1
I`m still working on this Problem, depeding to the situation, that Microsoft will stop LDAP without SSL in future.

I have also tested now to add the certificate of my ldap Server to:
to system->trust-> certificate
but no effect.

Is there maybe a possibility to deactivate the check of the certificate and oly accept it.

I found in older versions by using Google, comments, that I have to add the certificate as the peer certificate of the ldap Server. On Version 20.1 it seams this function is not available anymore - could that be the Problem?

Thank you very much.
July 08, 2020, 02:28:31 PM #2
For anybody else in future having this kind of problem - I found 2 solutions.
1. I´m using a Windows certificate autority inside my network. In all Infos I found in the web, there was single information missing. The one and only thing you need to do (if you Microsoft Authority is up and running), is to put you internal public CA certificate into system -> trust -> authority (only data field needed). Make a reboot of opensense and it will work (in my case).
2. solution, use the HA-Bridge, I found a very simple instruction and it is working exactly how its written in this documentation:
https://www.routerperformance.net/opnsense-bypass-ldaps-errors-via-haproxy/
August 10, 2020, 11:16:35 PM #3
Hey thorstensd

I'm trying to connect an OPNSense to an AD (in Azure) and I'm having the same problem as you had

What do you mean when you say?

"The one and only thing you need to do (if you Microsoft Authority is up and running), is to put you internal public CA certificate into system -> trust -> authority (only data field needed)"

Is it not the same as doing
       openssl s_client -connect ad.domain.intern:636 -showcerts
and to import the CA into the trust->authority?

Thanks in advance


Print
Go Up Pages1
User actions