Hello, I am having problems with the user authentication via LDAPS to an MSFT Active Directory. The problems is that I do not see any packets reaching the AD server from the OpenXPKI server. The openssl s_client -connect dc01.linuxlab.lan:636 -showcerts </dev/null test was successful. What do I miss? Thanks in advance.
Alex
The OpenXPKI system is installed as container on a RHEL 9 system.
I have configured so far the stack.yaml config as follows
# --- Linuxlab AD stack ---
linuxlab_ad_user:
label: Linuxlab AD Login - Users
description: "Login using AD account (User-Cert-Eligible)"
handler:
- ldap_linuxlab_user
type: passwd
linuxlab_ad_ra:
label: Linuxlab AD Login - Cert Managers
description: "Login using AD account (PKI-CertManagers – approvals)"
handler:
- ldap_linuxlab_ra
type: passwd
# --- End Linuxlab AD stack —
and the handler.yaml as follows
ldap_linuxlab_user:
type: Password
label: "Linuxlab AD (Users - certificate enrollment)"
class: OpenXPKI::Server::Authentication::LDAP
role: User
param:
host: dc01.linuxlab.lan
port: 636
base: "DC=linuxlab,DC=lan"
binddn:
"CN=svc-openxpki-ldap,OU=PKI-Service-Accounts,OU=PKI,DC=linuxlab,DC=lan"
password: "AbcarCBScGEFu6cjk*"
# User lookup
filter: "(&(sAMAccountName=[% login
%])(memberOf=CN=User-Cert-Eligible,OU=PKI-Groups,OU=LinuxLab-Groups,DC=linuxlab,DC=lan))"
# TLS behaviour – adjust to your DC setup
use_tls: 1 # ldaps on 636
starttls: 0 # change to 1 if you use StartTLS on 389
timeout: 10
verify: require
cafile: /etc/openxpki/local/certs/linuxlab/ad-ca-chain.pem
ldap_linuxlab_ra:
type: Password
label: "Linuxlab AD (Users - certificate enrollment)"
class: OpenXPKI::Server::Authentication::LDAP
role: RA Operator
param:
host: dc01.linuxlab.lan
port: 636
base: "DC=linuxlab,DC=lan"
binddn:
"CN=svc-openxpki-ldap,OU=PKI-Service-Accounts,OU=PKI,DC=linuxlab,DC=lan"
password: "AbcarCBScGEFu6cjk*"
# User lookup
filter: "(&(sAMAccountName=[% login
%])(memberOf=CN=PKI-CertManagers,OU=PKI-Groups,OU=LinuxLab-Groups,DC=linuxlab,DC=lan))"
# TLS behaviour – adjust to your DC setup
use_tls: 1 # ldaps on 636
starttls: 0 # change to 1 if you use StartTLS on 389
timeout: 10
verify: require
cafile: /etc/openxpki/local/certs/linuxlab/ad-ca-chain.pem
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
