Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
Connecting to AD for VPN Authentication
« previous
next »
Print
Pages: [
1
]
Author
Topic: Connecting to AD for VPN Authentication (Read 134 times)
michaelsage
Newbie
Posts: 15
Karma: 2
Connecting to AD for VPN Authentication
«
on:
November 01, 2024, 11:03:36 am »
Hi,
This was working until recently, I thought I'd found an issue with a cert, but turns out it wasn't the issue. I am trying to authenticate against Windows AD (functional level 2016). Everything looks ok, certs and config, but when I use the tester, I get the following error:
LDAP bind error [error:0A000086:SSL routines::certificate verify failed (CA signature digest algorithm too weak); Can't contact LDAP server]
I don't really know where to look. For now I have set our VPN to use local users but I'd like to go back to AD if possible. Any ideas?
Thanks!
Logged
Patrick M. Hausen
Hero Member
Posts: 6797
Karma: 571
Re: Connecting to AD for VPN Authentication
«
Reply #1 on:
November 01, 2024, 11:50:42 am »
You can use stunnel to connect to your DC over LDAPS, port 636 ignoring cert validity and present an unencrypted LDAP socket at 127.0.0.1:389. Then use this for OpenVPN. No unencrypted packet leaves the firewall.
I got tired of messing with the idiosyncrasies of Windows and certificates. Has been running stably for years.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
michaelsage
Newbie
Posts: 15
Karma: 2
Re: Connecting to AD for VPN Authentication
«
Reply #2 on:
November 01, 2024, 03:55:11 pm »
That sounds interesting. I'll take a look. Thanks!
Logged
michaelsage
Newbie
Posts: 15
Karma: 2
Re: Connecting to AD for VPN Authentication
«
Reply #3 on:
November 01, 2024, 04:04:11 pm »
Well that took about 2 mins to get working! Thank you very much!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
Connecting to AD for VPN Authentication