Icinga web2 and ldaps

Dear all,

I found this post, and configured like mentioned in the post:

My resources.ini configuration is:

type = "ldap"
hostname = "dc1.domain.domain.tld dc2.domain.domain.tld"
port = "636"
root_dn = "dc=mpi,dc=mpi-bremen,dc=de"
bind_dn = "BINDUSER@domain.domain.tld"
bind_pw = "PASSWORD"
encryption = "ldaps"
timeout = "5"

We are using a self signed certificate via the DFN Community PKI. I downloaded the DFN Community PKI - ROOT CA and the regarding Issuing CA from the website of the DFN and copied the .PEM files into


after that I run an

dpkg-reconfigure ca-certificates

But Icinga Web is refusing my login. And in the log file of icingaweb2 I found:

2024-06-12T14:53:57+02:00 - ERROR - Icinga\Exception\AuthenticationException in /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php:417 with message: Failed to authenticate user “tgrymatt” against backend “samba”. An exception was thrown: ← Icinga\Protocol\Ldap\LdapException in /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php:339 with message: LDAP bind (BINDING-USERn@domain.domain.tld / ***) to ldaps://dc1.domain.domain.tld:636 ldaps://dc2.domain.domain.tld:636 failed: Can’t contact LDAP server

Without ldaps it is working. (Other ldaps protected logins like the Proxmox GUI is working).

Any hints for me?

Best, Tobias

you can skip certificate verification by editing the /etc/openldap/ldap.conf file and add the following line


if that works we can go one step further

Thanks for the reply. I do not have this file. It is an Debian 11 installation, if this helps.

what about:


Thanks for the hint, yes this file is existing. But is does not change anything if I configure


or if I add the certificate file to the variable

TLS_CACERT      /opt/dfn-community-pki.pem

It still writes the same in the icinga-web2 log file. But an connection test with openssl is working:

openssl s_client -connect  dc1.mpi.mpi-bremen.de:636

Server Temp Key: X25519, 253 bits
SSL handshake has read 6685 bytes and written 423 bytes
Verification error: self signed certificate in certificate chain
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)

does something like that work?:

ldapsearch -H ldaps://dc1.domain.domain.tld -x -W -D "BINDUSER@domain.domain.tld" \ 
    -b "dc=mpi,dc=mpi-bremen,dc=de" "(sAMAccountName=user)"

Yes, that is working.

do you have php-ldap installed?
what does the validate button say when you configure the ldap resource?

Yes I have php-ldap installed, without ldaps it is working. But now it is working with ldaps too. I just copied the certificate to the server again and double checked the permissions of the certificate file. I could promise, that the permissions would be correct before, but now they are definitely correct and it is working. Whooohooo! Thanks for you help!

Best, Tobi