Icinga2 and LDAPS

I am currently using LDAP for authentication and everything is working perfectly.

[active_directory]
type = “ldap”
hostname = “XXX-XX-X.company.xx”
port = “389”
encryption = “none”
root_dn = “DC = xxx, DC = xxx, DC = xx”
bind_dn = “CN = xxxx, OU = xxxx, OU = xxx, DC = xxx, DC = company, DC = xx”
bind_pw = “top secret”
timeout = “5”

Now I would switch from LDAP to LDAPs and change the values ​​for encrytion and port.

[active_directory]
type = “ldap”
hostname = “XXX-XX-X.company.xx”
port = “636”
encryption = “ldaps”
root_dn = “DC = xxx, DC = xxx, DC = xx”
bind_dn = “CN = xxxx, OU = xxxx, OU = xxx, DC = xxx, DC = company, DC = xx”
bind_pw = “top secret”
timeout = “5”

After that I can no longer login:

icingaweb2 [1217]: Icinga \ Exception \ AuthenticationException in /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php:417 with message: Failed to authenticate user “xxx” against backend “ad_user”. An exception was thrown: <- Icinga \ Protocol \ Ldap \ LdapException in /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php:351 with message: LDAP bind (CN = xxx, OU = xxx, OU = xxx , DC = xxx, DC = xxx, DC = xx / ***) to ldaps: //xxx.xxx.company.xx: 636 failed: Can’t contact LDAP server

But I can with:
openssl s_client -connect 1.2.3.4:636 -showcerts
read the certificate from the server.

The required certificates are copied in the /etc/ssl/certs -> /etc/pki/tls/certs directory - is a c_rehash necessary?
I use CentOS 8.

Can someone help me please?

Hello and Welcome,

did you test a conection on the commandline with the ldap client? If i remember correct icingaweb2 will write the commandline to test in the debug log.
Think you have to edit /etc/openldap/ldap.conf and add

LDAPTLS_REQCERT=never
tls_checkpeer no

and then restart your webserver/php-fpm to make changes active for php.

Regards,
Carsten

Thanks for the information.
LDAP worked perfectly, only LDAPS didn’t.
I solved the problem:
c_rehash and then everything worked …