Icinga web2 and ldaps

TGM · June 12, 2024, 12:54pm

Dear all,

I found this post, and configured like mentioned in the post:

My resources.ini configuration is:

[samba]
type = "ldap"
hostname = "dc1.domain.domain.tld dc2.domain.domain.tld"
port = "636"
root_dn = "dc=mpi,dc=mpi-bremen,dc=de"
bind_dn = "BINDUSER@domain.domain.tld"
bind_pw = "PASSWORD"
encryption = "ldaps"
timeout = "5"

We are using a self signed certificate via the DFN Community PKI. I downloaded the DFN Community PKI - ROOT CA and the regarding Issuing CA from the website of the DFN and copied the .PEM files into

/usr/share/ca-certificates/extra

after that I run an

dpkg-reconfigure ca-certificates
update-ca-certificates

But Icinga Web is refusing my login. And in the log file of icingaweb2 I found:

2024-06-12T14:53:57+02:00 - ERROR - Icinga\Exception\AuthenticationException in /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php:417 with message: Failed to authenticate user “tgrymatt” against backend “samba”. An exception was thrown: ← Icinga\Protocol\Ldap\LdapException in /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php:339 with message: LDAP bind (BINDING-USERn@domain.domain.tld / ***) to ldaps://dc1.domain.domain.tld:636 ldaps://dc2.domain.domain.tld:636 failed: Can’t contact LDAP server

Without ldaps it is working. (Other ldaps protected logins like the Proxmox GUI is working).

Any hints for me?

Best, Tobias

moreamazingnick · June 12, 2024, 1:05pm

you can skip certificate verification by editing the /etc/openldap/ldap.conf file and add the following line

TLS_REQCERT never

if that works we can go one step further

TGM · June 12, 2024, 1:14pm

Thanks for the reply. I do not have this file. It is an Debian 11 installation, if this helps.

moreamazingnick · June 12, 2024, 1:52pm

what about:

/etc/ldap/ldap.conf

TGM · June 12, 2024, 2:54pm

Thanks for the hint, yes this file is existing. But is does not change anything if I configure

TLS_REQCERT never

or if I add the certificate file to the variable

TLS_CACERT      /opt/dfn-community-pki.pem

It still writes the same in the icinga-web2 log file. But an connection test with openssl is working:

openssl s_client -connect  dc1.mpi.mpi-bremen.de:636



Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6685 bytes and written 423 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)

moreamazingnick · June 12, 2024, 3:41pm

does something like that work?:

ldapsearch -H ldaps://dc1.domain.domain.tld -x -W -D "BINDUSER@domain.domain.tld" \ 
    -b "dc=mpi,dc=mpi-bremen,dc=de" "(sAMAccountName=user)"

TGM · June 12, 2024, 8:09pm

Yes, that is working.

moreamazingnick · June 12, 2024, 8:41pm

do you have php-ldap installed?
what does the validate button say when you configure the ldap resource?

TGM · June 13, 2024, 7:48pm

Yes I have php-ldap installed, without ldaps it is working. But now it is working with ldaps too. I just copied the certificate to the server again and double checked the permissions of the certificate file. I could promise, that the permissions would be correct before, but now they are definitely correct and it is working. Whooohooo! Thanks for you help!

Best, Tobi