Fail to configure LDAPS

Configuring a new ressource for LDAP without encrypting works fine. The generated resources.ini contains this section:

[EM.LAN]
type = "ldap"
hostname = "em.lan"
port = "389"
encryption = "none"
root_dn = "dc=em,dc=lan"
bind_dn = "icinga@em.lan"
bind_pw = "***"

Changing encryption to LDAPS fails:

Failed to successfully validate the configuration: LDAP bind (icinga@em.lan / ***) to ldaps://em.lan:636 failed: Can’t contact LDAP server

Validation Log

Connect using LDAPS NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server supports LDAPS and that the LDAP-Client is configured to accept its certificate. LDAP bind (icinga@em.lan / ***) to ldaps://em.lan:636 failed: Can’t contact LDAP server

As it is Ubuntu I try to disable certification validation by adding

LDAPVerifyServerCert Off

to my apache config but the error does not disappear. Any hints?

Hi,

manual CLI query via ldap works with the configured connection details?

Cheers,
Michael

Hi,

This is somewhat strange because in my test environment ldapsearch is not working:

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

even if I put

TLS_REQCERT never

into /etc/ldap/ldap.conf. I’d assume there is something worng with the certificates as

openssl s_client -showcerts -connect em.lan:636

also fails:

CONNECTED(00000005)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Doing the same at a customer site works as expected and I’ve manged it to configure LDAPS within icingaweb2. Although it is Debian 9 there, apache2 don’t even need to have

LDAPVerifyServerCert Off

Any idea about my test environment?

A customer site although everything looks ok now, I’m not able to login with an AD user. Shall I open a new thread or continue here?

Thanks & Cheers
Roland

Hi,

in the default configuration domain controllers do not have a certificate that can be used for secure communications. The easiest way is to install a MS certificate authority with AD integration on a DC and create certs for LDAPS. You will find many guides in the internet how to do that.

When using linux openldap CLI tools, they can use different config files:
/etc/ldap.conf and /etc/openldap/ldap.conf

In /etc/ldap.conf the option tls_checkpeer no may help.
In /etc/openldap/ldap.conf the option TLS_REQCERT allow may help.

For initial tests also try to use LDAP (w/o TLS) on port 389.

Cheers,
Manfred

2 Likes