core: LDAP authentication server does not support Sub CA

Today, configuring an LDAP server with either TLS or StartTLS will only work when the Root CA can be set directly. It will not work when dealing with an issuing / sub CA as the Auth/LDAP.php script currently only writes the sub CA into the file in /var/run/certs.

A workaround today is to create a single entry in System > Trust > Authorities and put both the Root CA and Sub CA certificates into the Certificate data field. Choosing this particular entry in LDAP server configuration will allow to connect to the server. (Hint: It might be required to reboot your device as the trust store somehow seems to get confused when playing with such configuration too much. Rebooting will give you a clean state before actually testing the LDAP server configuration).

I am not sure about the side effects to the trust store to be honest. One is for example a cosmetic one where it will not show the correct issuer: image

If the Auth/LDAP.php script could include all certificates of this particular trust chain, that would be preferred. Maybe this can be considered in one of the next

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (8 by maintainers)

Commits related to this issue

Most upvoted comments

@jpawlowski can you try https://github.com/opnsense/core/commit/b2affd161dbc3c6e77b335767671162cf97cb964 ?

I’ve dropped LDAP_OPT_X_TLS_CACERTDIR as well, since it doesn’t seem to be required when pointing to a cacert file.

+2
AdSchellevis on Oct 4, 2019

Too many changes here… we just pushed it 1 release back to give others the opportunity to test with the package mirror shipped opnsense-devel which is our default policy for backports. Exceptions apply, but it’s good to not forget rules completely. 😊

+1
fichtner on Oct 11, 2019
Read more comments on GitHub
← core: Kernel panic with 19.1
core: LDAP SSL authentication broken →