Installed my root CA certificate in CentOS. AD authentication for Dokuwiki is no longer in the clear

I'm looking forward to the conclusions here. It'll give me some direction when I make the dive with my home computer.

Dealing with tickets and other weekly Friday tasks, then back to Dokuwiki

@MattSpeller my laugh during rehearsal: "riff raff"

Waiting in line at Publix. Hope to get a meal and a nap before tonight's rehearsal.

@scottalanmiller Ha! I tend to be pretty hard on myself for such errors. You should've seen my face palm before I made the initial post. It was epic.

@scottalanmiller At least I did that.

/sigh I'm a fool. Maybe if I do firewall-cmd --reload, rule changes will take effect >(

@dafyre I ask my students: "Do you have a closet? If so, that's your best friend for practicing"

First test = failure. But it seems to follow what we think. The failure came from the fact that the dokuwiki's server doesn't trust the CA of the cert that my domain controller is presenting -- which is what I expected.

@coliver Since you mentioned possibly just needing a self-sign cert, that's what I'm thinking as well. We're about to find out.

@scottalanmiller said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

Or maybe a 4th option and figure out how to authenticate against AD using kerberos.

Is there another way?

Is there? If so, enlighten me, so I'm not putting effort toward negative learning.

Or maybe a 4th option and figure out how to authenticate against AD using kerberos.

@scottalanmiller The other part of the problem is there are two things I'm wanting to secure.

1. Traffic from client to my dokuwiki, which I agree can be easily accomplished with Lets Encrypt, despite this site not being public-facing.

2. Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I suppose there's a third option as well, which is what was mentioned yesterday: Do I really care that AD credentials are sent in the clear if this traffic is only on my local network (or travelling to a user at home over a VPN tunnel)? Which, for me, the answer is "yes." I don't think it's a good idea to pass credentials in the clear over a network in general.

@scottalanmiller For me, no learning is wasted. We deployed a CA a couple of years ago to use certificates for part of the authentication for our LT2P/IPSEC vpn.

@coliver said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

@coliver I'd like the site traffic to be secure. I also want to try to use LADPS when authenticating against AD. Since we have a CA in place, I'd like to use it.

Interesting. Have you taken a look at Let's Encrypt? It would be more reliable then your CA and can be easily automated.

I've considered it, and might end up going that route when my little internal wiki goes into production. This is also a learning exercise for me (using my own CA).

@coliver I'd like the site traffic to be secure. I also want to try to use LADPS when authenticating against AD. Since we have a CA in place, I'd like to use it.

Reading about how to issue a certificate from my AD CA to my Dokuwiki test.

@RojoLoco I'm partial to tenor though.

@RojoLoco All. When you major in saxophone you have play everything, but most of my time was spent on alto and tenor. I played only tenor through middle school and most of high school.