New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP authentication server does not support Sub CA #3742
Comments
If you have a 19.7.4 can you try to hardcode LDAP to /etc/ssl/cert.pem ? it should have all the CAs and the default ones now. |
Indeed, changing
to |
@jpawlowski Sounds like a good idea to me, can you confirm that your issue is solved when LDAP_OPT_X_TLS_CACERTFILE points to /etc/ssl/cert.pem ? I'll gladly remove some code here. |
I can confirm this, it is working on 4 devices now. |
ok, thanks, I'll prepare a patch later. |
@jpawlowski can you try b2affd1 ? I've dropped LDAP_OPT_X_TLS_CACERTDIR as well, since it doesn't seem to be required when pointing to a cacert file. |
Just applied the patch to one of the machines, deleted the chain certificate from the trust store, and saved the LDAP server configuration (just to ensure the new XML config file structure). Afterwards, I was still able to connect to the LDAP server as intended so the patch seems to work fine. Many thanks, Ad! |
@jpawlowski thanks for confirming, can I close the issue? It will move into a production version later. |
will just close it myself, thanks for politely asking ;) |
@AdSchellevis just to let you know that there are coming up some warning messages in the reporter:
Everything is working fine, though. |
@jpawlowski not related, but 09c34b2 should fix it. |
Too bad this didn’t make it into the new minor release (while other LDAP fixes did) @fichtner |
Too many changes here... we just pushed it 1 release back to give others the opportunity to test with the package mirror shipped opnsense-devel which is our default policy for backports. Exceptions apply, but it’s good to not forget rules completely. 😊 |
This was not about the package, it was about the patches to Auth/LDAP and stuff in b2affd1 |
Today, configuring an LDAP server with either TLS or StartTLS will only work when the Root CA can be set directly. It will not work when dealing with an issuing / sub CA as the
Auth/LDAP.php
script currently only writes the sub CA into the file in/var/run/certs
.A workaround today is to create a single entry in
System > Trust > Authorities
and put both the Root CA and Sub CA certificates into theCertificate data
field. Choosing this particular entry in LDAP server configuration will allow to connect to the server. (Hint: It might be required to reboot your device as the trust store somehow seems to get confused when playing with such configuration too much. Rebooting will give you a clean state before actually testing the LDAP server configuration).I am not sure about the side effects to the trust store to be honest. One is for example a cosmetic one where it will not show the correct issuer:
If the
Auth/LDAP.php
script could include all certificates of this particular trust chain, that would be preferred. Maybe this can be considered in one of the nextThe text was updated successfully, but these errors were encountered: