The very likely reason is, that reading of docs is better then using AI....
https://openxpki.readthedocs.io/en/master/configuration/realm.html#authentication
On 12/5/25 16:19, Alexander Dersch via OpenXPKI-users wrote:
Hello,
I am having problems with the user authentication via LDAPS to an MSFT Active
Directory. The problems is that I do not see any packets reaching the AD server
from the OpenXPKI server. The openssl s_client -connect dc01.linuxlab.lan:636
-showcerts </dev/null test was successful. What do I miss? Thanks in advance.
Alex
The OpenXPKI system is installed as container on a RHEL 9 system.
I have configured so far the stack.yaml config as follows
# --- Linuxlab AD stack ---
linuxlab_ad_user:
label: Linuxlab AD Login - Users
description: "Login using AD account (User-Cert-Eligible)"
handler:
- ldap_linuxlab_user
type: passwd
linuxlab_ad_ra:
label: Linuxlab AD Login - Cert Managers
description: "Login using AD account (PKI-CertManagers – approvals)"
handler:
- ldap_linuxlab_ra
type: passwd
# --- End Linuxlab AD stack —
and the handler.yaml as follows
ldap_linuxlab_user:
type: Password
label: "Linuxlab AD (Users - certificate enrollment)"
class: OpenXPKI::Server::Authentication::LDAP
role: User
param:
host: dc01.linuxlab.lan
port: 636
base: "DC=linuxlab,DC=lan"
binddn:
"CN=svc-openxpki-ldap,OU=PKI-Service-Accounts,OU=PKI,DC=linuxlab,DC=lan"
password: "AbcarCBScGEFu6cjk*"
# User lookup
filter: "(&(sAMAccountName=[% login
%])(memberOf=CN=User-Cert-Eligible,OU=PKI-Groups,OU=LinuxLab-Groups,DC=linuxlab,DC=lan))"
# TLS behaviour – adjust to your DC setup
use_tls: 1 # ldaps on 636
starttls: 0 # change to 1 if you use StartTLS on 389
timeout: 10
verify: require
cafile: /etc/openxpki/local/certs/linuxlab/ad-ca-chain.pem
ldap_linuxlab_ra:
type: Password
label: "Linuxlab AD (Users - certificate enrollment)"
class: OpenXPKI::Server::Authentication::LDAP
role: RA Operator
param:
host: dc01.linuxlab.lan
port: 636
base: "DC=linuxlab,DC=lan"
binddn:
"CN=svc-openxpki-ldap,OU=PKI-Service-Accounts,OU=PKI,DC=linuxlab,DC=lan"
password: "AbcarCBScGEFu6cjk*"
# User lookup
filter: "(&(sAMAccountName=[% login
%])(memberOf=CN=PKI-CertManagers,OU=PKI-Groups,OU=LinuxLab-Groups,DC=linuxlab,DC=lan))"
# TLS behaviour – adjust to your DC setup
use_tls: 1 # ldaps on 636
starttls: 0 # change to 1 if you use StartTLS on 389
timeout: 10
verify: require
cafile: /etc/openxpki/local/certs/linuxlab/ad-ca-chain.pem
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
