I am currently using LDAP for authentication and everything is working perfectly.
[active_directory]
type = “ldap”
hostname = “XXX-XX-X.company.xx”
port = “389”
encryption = “none”
root_dn = “DC = xxx, DC = xxx, DC = xx”
bind_dn = “CN = xxxx, OU = xxxx, OU = xxx, DC = xxx, DC = company, DC = xx”
bind_pw = “top secret”
timeout = “5”
Now I would switch from LDAP to LDAPs and change the values for encrytion and port.
[active_directory]
type = “ldap”
hostname = “XXX-XX-X.company.xx”
port = “636”
encryption = “ldaps”
root_dn = “DC = xxx, DC = xxx, DC = xx”
bind_dn = “CN = xxxx, OU = xxxx, OU = xxx, DC = xxx, DC = company, DC = xx”
bind_pw = “top secret”
timeout = “5”
After that I can no longer login:
icingaweb2 [1217]: Icinga \ Exception \ AuthenticationException in /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php:417 with message: Failed to authenticate user “xxx” against backend “ad_user”. An exception was thrown: <- Icinga \ Protocol \ Ldap \ LdapException in /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php:351 with message: LDAP bind (CN = xxx, OU = xxx, OU = xxx , DC = xxx, DC = xxx, DC = xx / ***) to ldaps: //xxx.xxx.company.xx: 636 failed: Can’t contact LDAP server
But I can with:
openssl s_client -connect 1.2.3.4:636 -showcerts
read the certificate from the server.
The required certificates are copied in the /etc/ssl/certs -> /etc/pki/tls/certs directory - is a c_rehash necessary?
I use CentOS 8.
Can someone help me please?