Failed to successfully validate the configuration: LDAP bind (icinga@em.lan / ***) to ldaps://em.lan:636 failed: Can’t contact LDAP server
Validation Log
Connect using LDAPS NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server supports LDAPS and that the LDAP-Client is configured to accept its certificate. LDAP bind (icinga@em.lan / ***) to ldaps://em.lan:636 failed: Can’t contact LDAP server
As it is Ubuntu I try to disable certification validation by adding
LDAPVerifyServerCert Off
to my apache config but the error does not disappear. Any hints?
This is somewhat strange because in my test environment ldapsearch is not working:
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
even if I put
TLS_REQCERT never
into /etc/ldap/ldap.conf. I’d assume there is something worng with the certificates as
openssl s_client -showcerts -connect em.lan:636
also fails:
CONNECTED(00000005)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Doing the same at a customer site works as expected and I’ve manged it to configure LDAPS within icingaweb2. Although it is Debian 9 there, apache2 don’t even need to have
LDAPVerifyServerCert Off
Any idea about my test environment?
A customer site although everything looks ok now, I’m not able to login with an AD user. Shall I open a new thread or continue here?
in the default configuration domain controllers do not have a certificate that can be used for secure communications. The easiest way is to install a MS certificate authority with AD integration on a DC and create certs for LDAPS. You will find many guides in the internet how to do that.
When using linux openldap CLI tools, they can use different config files:
/etc/ldap.conf and /etc/openldap/ldap.conf
In /etc/ldap.conf the option tls_checkpeer no may help.
In /etc/openldap/ldap.conf the option TLS_REQCERT allow may help.
For initial tests also try to use LDAP (w/o TLS) on port 389.