Hello David, PF by default does not require the SSL certificate in order to validate the LDAPS connection.
You can still configure on SSL: NONE and port: 389 if your AD still supports it. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Aug 1, 2021, at 9:33 AM, David Herselman via PacketFence-users > <[email protected]> wrote: > > Hi, > > We are attempting to enforce LDAP signing or TLS encryption and have started > by auditing insecure LDAP binds in AD. An example how-to detailing steps to > do: > https://azurecloudai.blog/2019/08/03/step-by-step-enforce-require-ldap-signing-on-domain-controllers-part-1/ > > <https://urldefense.com/v3/__https://azurecloudai.blog/2019/08/03/step-by-step-enforce-require-ldap-signing-on-domain-controllers-part-1/__;!!GjvTz_vk!HPo5Zch3VHnoDQ4AAGcOJc49yjN8j_85xbhqecofboNkgRmXVYOyzPZTGpwgeK_0$> > > We are using an ‘Active Directory Domain’ together with AD authentication > sources. Herewith sample events relating to LDAP binds from Packet Fence: > 4624, dc01.realm.com <http://dc01.realm.com/>, 07/31/2021 23:59:45, S-1-5-18 > DC01$ DOMAIN 0x3e7 S-1-5-21-1004336348-1177238915-682003330-11463 > auth-packetfence DOMAIN 0xf86c0dd 3 Advapi > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01 > {00000000-0000-0000-0000-000000000000} - - 0 0x26c > C:\Windows\System32\lsass.exe 192.168.1.5 44240 %%1833 - - - %%1843 0x0 > %%1842,(System.Diagnostics.EventLogEntry.message) > 4624, dc01.realm.com <http://dc01.realm.com/>, 07/31/2021 23:59:15, S-1-5-18 > DC01$ DOMAIN 0x3e7 S-1-5-21-1004336348-1177238915-682003330-11463 > auth-packetfence DOMAIN 0xf86bc35 3 Advapi > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01 > {00000000-0000-0000-0000-000000000000} - - 0 0x26c > C:\Windows\System32\lsass.exe 192.168.1.5 44110 %%1833 - - - %%1843 0x0 > %%1842,(System.Diagnostics.EventLogEntry.message) > 4624, dc01.realm.com <http://dc01.realm.com/>, 07/31/2021 23:58:45, S-1-5-18 > DC01$ DOMAIN 0x3e7 S-1-5-21-1004336348-1177238915-682003330-11463 > auth-packetfence DOMAIN 0xf867d3e 3 Advapi > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01 > {00000000-0000-0000-0000-000000000000} - - 0 0x26c > C:\Windows\System32\lsass.exe 192.168.1.5 43930 %%1833 - - - %%1843 0x0 > %%1842,(System.Diagnostics.EventLogEntry.message) > 4624, dc01.realm.com <http://dc01.realm.com/>, 07/31/2021 23:58:15, S-1-5-18 > DC01$ DOMAIN 0x3e7 S-1-5-21-1004336348-1177238915-682003330-11463 > auth-packetfence DOMAIN 0xf863c2a 3 Advapi > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01 > {00000000-0000-0000-0000-000000000000} - - 0 0x26c > C:\Windows\System32\lsass.exe 192.168.1.5 43804 %%1833 - - - %%1843 0x0 > %%1842,(System.Diagnostics.EventLogEntry.message) > > I have however defined the LDAP host in the GUI as: > Host: realm.com <http://realm.com/> > Port: 636 > Type: SSL > > > Are there possibly checks or other interactions that bind to LDAP without > TLS? Perhaps this has already been discussed previously, to prepare > PacketFence’s AD integration to either use LDAP signing or encapsulate all > simple binds in TLS? > > PS: Our AD servers use certificates issued by an AD CS, herewith the steps we > took to add the public CA root certificate chain: > f='companyad'; > mkdir -p /usr/share/ca-certificates/$f; > scp linux-test.realm.com > <http://linux-test.realm.com/>:/etc/pki/tls/syrex-AD-ca.pem > /usr/share/ca-certificates/$f/$f.crt; > #curl http://www.cacert.org/certs/root.crt > <http://www.cacert.org/certs/root.crt> > > /usr/share/ca-certificates/$f/$f.crt; > #curl http://www.cacert.org/certs/class3.crt > <http://www.cacert.org/certs/class3.crt> >> > /usr/share/ca-certificates/$f/$f.crt; > echo "$f/$f.crt" >> /etc/ca-certificates.conf; > update-ca-certificates; > > > /usr/local/pf/conf/domain.conf > [companyad] > workgroup=DOMAIN > ntlm_cache_on_connection=disabled > dns_servers=192.168.1.5 > ad_server=dc01.realm.com <http://dc01.realm.com/> > registration=0 > ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2)))) > dns_name=realm.com <http://realm.com/> > sticky_dc=* > ou=Company/Users/LDAP Integration > ntlm_cache_batch_one_at_a_time=disabled > server_name=%h > ntlm_cache_batch=disabled > ntlm_cache_expiry=3600 > ntlmv2_only=1 > status=enabled > > /usr/local/pf/conf/realm.conf > # Copyright (C) Inverse inc. > [1 DEFAULT] > radius_auth_proxy_type=keyed-balance > domain=companyad > radius_acct_proxy_type=load-balance > radius_auth= > radius_auth_compute_in_pf=enabled > permit_custom_attributes=disabled > radius_acct= > > [1 NULL] > radius_auth_proxy_type=keyed-balance > radius_auth= > permit_custom_attributes=disabled > radius_auth_compute_in_pf=enabled > domain=companyad > radius_acct_proxy_type=load-balance > radius_acct= > eduroam_radius_auth_proxy_type=keyed-balance > eduroam_radius_acct= > eduroam_radius_auth= > eduroam_radius_acct_proxy_type=load-balance > eduroam_radius_auth_compute_in_pf=enabled > > [1 DOMAIN] > portal_strip_username=enabled > radius_strip_username=enabled > radius_acct= > radius_auth_compute_in_pf=enabled > radius_auth= > admin_strip_username=enabled > radius_acct_proxy_type=load-balance > permit_custom_attributes=disabled > domain=companyad > radius_auth_proxy_type=keyed-balance > eap=default > > [1 realm.com <http://realm.com/>] > admin_strip_username=disabled > radius_acct= > permit_custom_attributes=disabled > radius_acct_proxy_type=load-balance > radius_auth_compute_in_pf=enabled > radius_strip_username=disabled > portal_strip_username=enabled > radius_auth= > domain=companyad > radius_auth_proxy_type=keyed-balance > eap=default > > /usr/local/pf/conf/authentication.conf > [companyad_users] > password=**************** > write_timeout=5 > description=Company AD - Users > scope=sub > realms=null,DOMAIN,realm.com <http://realm.com/> > type=AD > connection_timeout=1 > [email protected] <mailto:[email protected]> > read_timeout=10 > cache_match=0 > host=realm.com <http://realm.com/> > port=636 > monitor=1 > shuffle=0 > searchattributes= > email_attribute=mail > encryption=ssl > basedn=OU=Users,OU=Company,DC=realm,DC=com > usernameattribute=sAMAccountName > dynamic_routing_module=AuthModule > dead_duration=60 > set_access_durations_action= > > [companyad_users rule pf_admin] > status=enabled > condition0=memberOf,equals,CN=packetfence-admin,OU=3rd Party,OU=Security > Groups,OU=Company,DC=realm,DC=com > description=Member of packetfence-admin AD security group > class=administration > action0=set_access_level=ALL > match=all > > [companyad_users rule pf_reviewer] > condition0=memberOf,equals,CN=packetfence-reviewer,OU=3rd Party,OU=Security > Groups,OU=Company,DC=realm,DC=com > status=enabled > description=Member of packetfence_reviewer AD security group > action0=set_access_level=Reviewer > class=administration > match=all > > [companyad_users rule staff] > match=all > status=enabled > action0=set_role=staff > action1=set_access_duration=1M > class=authentication > condition0=memberOf,equals,CN=company,OU=Company,OU=Security > Groups,OU=Company,DC=realm,DC=com > description=Member of company AD security group > > [companyad_computers] > write_timeout=5 > basedn=OU=Computers,OU=Company,DC=realm,DC=com > description=Company AD - Computers > scope=sub > port=636 > host=realm.com <http://realm.com/> > type=AD > realms=realm.com <http://realm.com/> > usernameattribute=servicePrincipalName > shuffle=0 > read_timeout=10 > password=**************** > searchattributes= > monitor=0 > connection_timeout=1 > encryption=ssl > email_attribute=mail > [email protected] <mailto:[email protected]> > cache_match=0 > dynamic_routing_module=AuthModule > dead_duration=60 > set_access_durations_action= > > > Regards > David Herselman > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HPo5Zch3VHnoDQ4AAGcOJc49yjN8j_85xbhqecofboNkgRmXVYOyzPZTGnK90u8t$ > > <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HPo5Zch3VHnoDQ4AAGcOJc49yjN8j_85xbhqecofboNkgRmXVYOyzPZTGnK90u8t$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
