Extended LDAP over SSL support is available for console servers running firmware v3.11 and above (and is in addition to the OpenLDAP support provided in this same firmware release).
In the Serial and Network: Authentication menu there are now new settings to support LDAPS (LDAP over SSL):
The Server Protocol setting has three options:
- Selecting LDAP over SSL preferred will attempt to use SSL for authentication, but if it fails it will fall back to LDAP without SSL. As an example LDAP over SSL may fail due to certificate errors or the LDAP server not be contactable on the LDAPS port etc.
- LDAP over SSL only: this setting will configure the Opengear device to only accept LDAP over SSL. If LDAP over SSL fails you will only be able to log into the console server as root
- LDAP (no SSL) only: this setting will configure the Opengear device to only accept LDAP without SSL. If LDAP without SSL fails you will only be able to log into the console server as root
Additionally you can check the 'Ignore SSL Certificate Error' box and SSL certificate errors will be ignored - allowing LDAP over SSL to work regardless of the certificate errors. This allows you to use any certificate, self-signed or otherwise, on the LDAP server without having to install any certificates on the console server. If this setting is not checked, then you must install the CA (certificate authority) certificate, root and intermediate chain, with which the LDAP server's certificate was signed, onto the console server. For example, the LDAP server is serving with a certificate singed using the certificate 'myCA.crt'
Note: The certificate needs to be in PEM format, as a .crt file, and 'myCA.crt' needs to be installed onto console server at '/etc/config/ldaps_ca.crt'. Also the file name must be 'ldaps_ca.crt'. You need to copy the file to this location and file name manually using 'scp' or the like e.g.