Connecting to AD for VPN Authentication

Started by michaelsage, November 01, 2024, 11:03:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 01, 2024, 11:03:36 AM
Hi,

This was working until recently, I thought I'd found an issue with a cert, but turns out it wasn't the issue. I am trying to authenticate against Windows AD (functional level 2016). Everything looks ok, certs and config, but when I use the tester, I get the following error:

LDAP bind error [error:0A000086:SSL routines::certificate verify failed (CA signature digest algorithm too weak); Can't contact LDAP server]

I don't really know where to look. For now I have set our VPN to use local users but I'd like to go back to AD if possible. Any ideas?

Thanks!
November 01, 2024, 11:50:42 AM #1
You can use stunnel to connect to your DC over LDAPS, port 636 ignoring cert validity and present an unencrypted LDAP socket at 127.0.0.1:389. Then use this for OpenVPN. No unencrypted packet leaves the firewall.

I got tired of messing with the idiosyncrasies of Windows and certificates. Has been running stably for years.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 01, 2024, 03:55:11 PM #2
That sounds interesting. I'll take a look. Thanks!
November 01, 2024, 04:04:11 PM #3
Well that took about 2 mins to get working! Thank you very much!
Print
Go Up Pages1
User actions