Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAPs with Self Signed CA (Active Directory)

    Scheduled Pinned Locked Moved
    OpenVPN
    ldap ldaps
    1
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tnacnud1
      last edited by

      Good afternoon. I've been a long time user of pfsense. I just signed up for this forum account today because I have run into a head banging issue...

      I am trying to migrate our authentication server to LDAPs instead of plaintext over port 389. I have read the documentation very thoroughly. I am running into a TLS issue I believe with the Certificate I've imported into pfsense. In my packet captures and in the schannel logs on the domain controller I am seeing the errors:
      A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 48.
      bcc85355-7706-4a37-b3dd-3a10f1013b2d-image.png

      I've imported the self signed CA as described in the documentation. I've also made sure that the DNS name signed on the certificate serving authentication on the domain controller match the hostname in the config.

      Has anything else run into this before? I've been scouring the internet for posts on this and there never seems to be a resolution to any of these posts.

      1 Reply Last reply Reply Quote 0
      • T
        tnacnud1
        last edited by

        I spent hours digging into the ldaps connection issues I had through the GUI on pfsense. I used openssl s_client in the shell to determine where the issue was with the verification of the CA.

        openssl s_client -CAfile /etc/ssl/file.pem hostnamehere:636

        Anytime I specified the CA file location openssl returned no errors... so I was perplexed why it wasn't working in the GUI. I eventually ran across this post and I am very grateful:

        https://forum.netgate.com/topic/145578/ldaps-ad-bind/21

        Essentially after changing the LDAP authentication server to LDAPS on port 636 you MUST restart php-fpm. I did this by running option 16 in the console.

        I am currently on 2.4.5

        I hope this post helps someone else if they find themselves in this situation.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post