SSL for LDAP to Active Directory for User Directories Question


(Lonely Admin) #1

Because I’m a masochist, I’m trying to enable integration with AD in the User Management->Directories module. Also while doing this, I’m trying to enable SSL. It appears that the certificate trust is handled by asterisk, and not the OS (not entirely sure). Anyways I can see that the client/freepbx doesn’t like my awesome CA server I setup for AD, I’m verifying this with a pcap on the domain controller where I see “Unknown CA” from the PBX. How do I go about importing the CA for my AD?

Do I just need to go through the process of creating a CSR under Certificate Management, sign it with my local CA, and then import it? I have done that, but I have either imported the cert incorrectly, or I’m not telling the asterisk piece what certificates to use.

Non-SSL user directories from ldap/ad work fine over 389.

Also, where should I look for ldap logging? I can’t seem to find anything in /var/log


(Lonely Admin) #2

Having a helluva time figuring this out. How do I add a local CA?

Do I need to add CA at the OS level or does it need to be done in the GUI/CLI for asterisk? Just snooping around it looks like all of the asterisk stuff is in /etc/asterisk/keys and that /etc/pki is untouched…but just looking for some direction here.


(Lonely Admin) #3

It appears that the userman module uses the standard ldap libraries from php, can I safely assume that I need to work with /etc/openldap/ldap.conf in order to make this work? I’ve been going through the source of userman and I don’t seem to see anything that would override the CA during ldap_connect calls.


(Dave Burgess) #4

That sounds reasonable. If it works, submit a ticket so that the dev team can clean up the interface, or at least post something back here that tells us what worked.

As you’ve probably figured out, you are a tech leader on this, so leave us a map when you get done blazing the trail.


(Lonely Admin) #5

I’ll update with more info as time allows…but here’s what I have so far.

Add “TLS_REQCERT never” to /etc/openldap/ldap.conf (encrypted but not verified, open to MITM)
restart httpd and fwconsole reload (might not be necessary)
Set secure connection type to “Start TLS” and keep port on 389.
Wait for sync.
Move on…

There have been rumblings of MS ending unencrypted LDAP for years, which motivated me to not rely on it when possible…and is usually a ton of fun when dealing with any non-MS device that needs to auth against AD. Looks like the way to go and be less likely affected by some feature ending Windows Update is simply to enable TLS on 389 and not verify cert. LDAPS on 636 will likely be killed off before TLS across 389 is IMHO.

I still want to add my local CA to openldap clients, but I have to get on with life for now.

Here’s a few links where I found some info:
Microsoft Delaying LDAP Configuration Changes to 2H 2020 – Redmondmag.com
2020 LDAP channel binding and LDAP signing requirements for Windows (microsoft.com)
Encryption with TLS (active-directory-wp.com)
How to set up secure LDAP for Active Directory — Astrix


(Lonely Admin) #6

Had to do this to get it going…

[FREEPBX-22572] Userman module tries to use TLS over ldaps - Sangoma Issue Tracker