LDAPS bind error

[rosu]

Hello all

Im trying to configure an LDAP server in OPNsense however I am receiving the error:
"LDAP bind error (Can't contact LDAP server)"

I am testing out Foxpass as an LDAP server and I've essentially followed this guide (for pfSense) to validate my config: https://foxpass.readme.io/docs/pfsense-ldap

I am using LDAPS and have setup the cert chain as a trusted authority on opnsense. Unfortunately I don't know where to look to get more verbose ldap logs.

I've also validated that i can connect to the directory using the same bind creds from an ldap client on my workstation. Not too sure what the issue is, if i could get access to some more descriptive logs that would be a great start.

I saw a post from a few weks ago where someone seemed to be reporting a similar issue using LDAPS although it wasnt clear what the underlying issue was so i thought id repost.

Cheers

[stjs16]

I had the same issue, I could not get it to work, in the end I created a vlan with 2 members the AD DC and opnsense and used that so traffic didn't get sniffed.

[mimugmail]

There's a bit trouble with LDAPS when the chain does not fit.
You could work around it with HAProxy.

https://www.routerperformance.net/opnsense-bypass-ldaps-errors-via-haproxy/

[rosu]

Hello

Thanks for your replies. Unfortunately I'm trying to access a cloud based LDAP service so I don't have the luxury of VLANing off my LDAP traffic I took a look at the source code and tried to re-run the PHP commands in a CLI session on my own PC:

Code: [Select]

$ldaphost = "ldaps://ldap.example.com:636";
$ldapUsername = "uid=rosu,ou=Users,o=myorg,dc=example,dc=com";
$ldapPassword = "mypass";
$ldapBasedn = "o=myorg,dc=example,dc=com";
$ds = ldap_connect($ldaphost);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$bth = ldap_bind($ds, $ldapUsername, $ldapPassword);
$search = ldap_search($ds, $ldapBasedn, "(cn=*)");
echo ldap_count_entries($ds,$search);
$info = ldap_get_entries($ds, $search);
print_r($info);
Again it worked perfectly fine if I wasn't using SSL/STARTTLS, but this was to be expected as I hadn't specified the cert chain to validate. I created the ldap.conf file under C:\OpenLDAP\sysconf\ldap.conf and added TLS_REQCERT never which allowed LDAPS to work on my machine. I'll test specifying the certificate chain to validate in ldap.conf on my machine and see if it works.

I obtained the cert chain from the LDAPS service by using openssl:

Code: [Select]

openssl s_client -connect ldap.foxpass.com:636 -showcerts
So the cert chain used for validation should all be correct. If it works on my workstation clearly there is some sort of issue in opnsense performing the certificate validation. I'll let you know the results.

[mimugmail]

Again it worked perfectly fine if I wasn't using SSL/STARTTLS, but this was to be expected as I hadn't specified the cert chain to validate. I created the ldap.conf file under C:\OpenLDAP\sysconf\ldap.conf and added TLS_REQCERT never which allowed LDAPS to work on my machine. I'll test specifying the certificate chain to validate in ldap.conf on my machine and see if it works.

I always thought it has to be "always" to force the validation?
If it's not going to work try the HAProxy workaround

[rosu]

Sorry I didn't articulate my last post very well...

Using LDAP (ie. no STARTTLS/SSL) = working fine
Using LDAPS with TLS_REQCERT never in ldap.conf = working fine

By default TLS_REQCERT = demand so if you don't explicitly use never (or always). Refer to https://www.openldap.org/software/man.cgi?query=ldap.conf which explains what these options do.

Anyways I managed to figure out where I was going wrong in OPNsense. Simply put I was specifying the public certificate of the LDAP server for OpenLDAP to use in validation instead of the root CA certificate. In other words, make sure you grab the entire certificate chain which you can get using:

Code: [Select]

openssl s_client -connect ldap.foxpass.com:636 -showcerts
Then in OPNsense use the root CA in the cert chain as the Peer Certificate Authority and it works perfectly fine.

I really should have read the tool tip more closely... Hopefully this helps someone else from making the same mistake