LDAP bind error - Can't contact LDAP server?

NethServer Version: 7.9

Hi,

I use OPNsense as a certificate authority (CA) and created and imported server certificates to my Nethserver(s). Additionally I had to import those certs into Firefox and Thunderbird because they use their own cert-store. This looks good now…

In a different LAN I use the OPNsense LDAP Bind to get credentials from a Windows 2019 server but without encryption, just tcp port 389…

I would like to use Nethserver Authentication credentials for LDAP applications and bind OPNsense to it but I get this error:

LDAP bind error [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate); Can't contact LDAP server]

Has someone of you had the same error or can give me some infos?

Edit:
Maybe I have to use intermediate certs what I didnt… described here: self-signed-chain

@fausp

Hi

AFAIK OPNsense needs valid certs (I use LE & AD…) for SSL. With LE and AD using LE certs, OPNsense can connect and sees the AD-LDAP… (AD is on NethServer).

I never used LDAP on NethServer, because of Samba shares…

My 2 cents
Andy

I use AD-LDAP, it is just called LDAP…

I tried to use ldapsearch on OPNsense and got:

ldapsearch -H ldaps://<my-server-ip>:636 -D "administrator@<my-server-domain>" -W -b "dc=ad,dc=p<my-server-domain>,dc=lan" -d 3

ldap_url_parse_ext(ldaps://<my-server-ip>:636)
ldap_create
ldap_url_parse_ext(ldaps://<my-server-ip>:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <my-server-ip>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <my-server-ip>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=293, written=293
  0000:  .....
  0120:  .....
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
  0000:  .....
tls_read: want=87, got=87
  0000:  .....
  0050:  .....
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
  0000:  .....
tls_read: want=1484, got=1484
  0000:  .....
  05c0:  .....
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: /O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=NSDC-<my-hostname>.ad.<my-server-domain>, issuer: /O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=NSDC-<my-hostname>.ad.<my-server-domain>
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
  0000:  15 03 03 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Looks like the Samba - temporary autogenerated HOST certificate is the problem?

@fausp

Hi

I think this is the key issue:

It can’t verify the existing self-generated CA, so denies access…
It seems to happen a lot with Java based Apps, but also PHP stuff…

My 2 cents
Andy

ATM I am reading: Configuring LDAP over SSL (LDAPS) on a Samba AD DC

Mabe I can do some steps by hand…

grafik829×157 11.6 KB

@fausp

Hi

This may be faster / easier:

My 2 cents
Andy

…

Looks like the certs are autogenerated?

grafik1371×364 17.8 KB

Can we modify this? Just to copy it over didnt work…