Auth Server: LDAP: Fails since upgrade to 25.1.9

Started by snfx79, June 26, 2025, 07:23:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 26, 2025, 07:23:57 PM
Hi,

Since i have upgrade to 25.1.9, LDAP auth server authentications fails with:

Error   audit   Could not startTLS on ldap connection [error:0200008A:rsa routines::invalid padding; Connect error]

Additional informations:
* Previous working version: 25.1.8
* Backend LDAP server version: 2.5.13+dfsg-5 (Debian bookworm)

Tested from opnsense cli:
* openssl s_client -starttls ldap -connect my_server_fqdn:389

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4197 bytes and written 443 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

* ldapwhoami -H ldap://my_server_fqdn -ZZ -x -v

anonymous
Result: Success (0)

I use self signed certificates on my ldap server with:

    Signature Algorithm: sha512WithRSAEncryption
    Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Thanks in advance,


June 28, 2025, 09:30:38 PM #1
I am having no issues with mine, but I'm using SSL / port 636. If you can switch to that I'd recommend it as implicit TLS is more secure that explicit TLS anyway.
July 03, 2025, 12:51:27 PM #2
Hi, thanks for you're answer.

Actually i don't have possibility to use LDAPS on 636 port, i don't hold the LDAP server, i can only use STARTTLS on the 389 port.
July 03, 2025, 01:15:12 PM #3
As far as I understood the documentation, stunnel supports STARTTLS. Unfortunately at the moment the OPNsense UI does not support picking LDAP as the protocol, only IMAP, POP3 and SMTP. I will create a pull request to include more options, since this seems incredibly useful.

What you then do will be:

- install the os-stunnel plugin
- create a service in client mode
- listen address and port: 127.0.0.1, 389
- target hostname and port: your LDAP server, 389
- protocol: LDAP

And you will be able to use 127.0.0.1:389 without encryption (!) as your LDAP server - which is not a problem, because it's local communication and your LDAP authenticator will see all the clear text content, anyway. Stunnel will then relay the connection with STARTTLS over the network.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 03, 2025, 09:25:28 PM #4
Code Select
opnsense-patch -c plugins 6864606
should do it.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions