Nethserver AD / LDAPS issue

tessierp · January 9, 2021, 9:04pm

NethServer Version: 7.9.2009
Module: AD

Hi,

I recently turned on AD on my Nethserver as it was a recommendation step for installing Dokuwiki. Now, I would like to link other systems to it and I have been experiencing some issues. I realized the issue is because, by default, the AD is secured, using LDAPS. Without a valid certificate, no other server will accept to connect to it.

That journey brought me to consider using Letsencrypt and buying a domain which is another issue I recently had to deal with. Now I am reevaluating my options based on what I found. One of these options is to use OPNSense to get my certs and apply SSL termination and communicate unencrypted internally. This would also fix my LDAPS issue.

So here is the question, is there a way to turn off SSL for my AD? Please keep in mind that I am already running Dokuwiki and I want to minimize the “damage”.

Thanks

Andy_Wismer · January 9, 2021, 9:14pm

@tessierp

Hi

Just for your Info:

Most NAS i’ve dealed with, mostly Synology and some QNap, had NO issues joining a NethServer AD Domain!

DNS had to be correct, though - AD uses DNS a lot “internally”.
It’s not only LDAP/LDAPs!

My 2 cents
Andy

tessierp · January 9, 2021, 9:18pm

DNS is good, pointing to the right place. The reason why I would just removing AD encryption is that internally, I just don’t see a need for it. Might as well just turn https and other secure connections off.

Andy_Wismer · January 9, 2021, 9:26pm

Then it’s not AD, as specified!

You may call it PT (or what you want), but not AD!

AD is specified as encrypted!

You did NOT mention if you’re talking about an AD compatiible DNS…
As you know, MS is well known for “raping” standard protocolls, they massively “raped” DNS to be used for AD.

A standard DNS can not return the correct AD Master of a Forrest, as an example.
This information is passed by special, non standard, DNS entries and subdomains.

Check a MS DNS server if you don’t believe me!

OPNsense has a great, capable DNS server built in. It CAN do AD - if you put in the needed entries! And only then!

NethServer handles AD DNS correctly, if AD is configured as Account Provider on that server.

tessierp · January 9, 2021, 10:07pm

OK I guess that is me not knowing and from what I understand an AD is secure at all time.

Thanks!

mrmarkuz · January 9, 2021, 11:39pm

You could allow unencrypted connections but as regards security a valid cert is the better option.

tessierp · January 9, 2021, 11:43pm

Thank you @mrmarkuz

Elleni · January 10, 2021, 6:08pm

If you plan to let OPNsense do queries to your nethserver dc, it only works with a valid certificate afaik. My OPNsense router refused doing unencrypted queries. See here. In my scenario a member of the domain - nethserver is aquiring the certificates, and I have a script that copies them to the opnsense router and also to the nethserver ad container nsdc providing the domain. By the way if you plan to use the script have a look on the last post in that thread as lately letsencrypt changed its root CA certficate thus the script needed a small modification in order to work again.

tessierp · January 10, 2021, 7:48pm

Hi Elleni,

I will change my approach slightly. Instead of having Nethserver requests the certificate through Let’s Encrypt, I will be doing this from OPNSense. That way, I don’t have to :

Expose ports 80 & 443 to allow Let’s Encrypt do the requests on Nethserver.
or
Use a DNS validation approach that was proposed to me.

That being said, I will still need figure out a strategy to distribute the certs. Thanks for sharing the link, that will be useful for the AD part!

royceb · January 10, 2021, 11:54pm

This is kind of a cross post but check out this post to see if it could help on automating of renewing & exporting your LE cert. This is for Pfsense but should be close enough.

I made a Feature request importing and renewing an LE cert automatically for AD as I am running into some of the same issue where I have external apps authenticating against NS but run into the invalid certificate issue.

tessierp · January 11, 2021, 12:17am

This will be super useful. OPNSense and PFSense are very close so I should technically be able to follow the same procedure and adapt it. And that feature request is awesome, hopefully they implement this. The procedure Elleni exposes in his post is also very useful.

I still have a lot to figure out but finally managed to figure out how to get my wildcard certificate for my domain! The problem was I was choosing HTTP-1 and I needed DNS-1. This means that the DNS provider you choose must have an API. Let’s Encrypt only supports DNS-1 for wildcard certs.