LDAP Integration - Icinga - Validation Failing

Hi Team,

I have been trying to do the LDAP integration with Icingaweb… I have added resources as shown below…

cn=ldap_icinga2 (Useraccount that i made on my AD under ou(users)

Can you please advise if i am doing something wrong?

Hi.

Are you sure about ldaps?
Do you probably mean starttls?

If you mean ldaps: Do you mean port 389 oder 636?

I face the same issue, I’m trying to authenticate against LDAPS over 636. i get the same error.

If there anything i’m doing is wrong ?

Hi.

Can you do the request successfully via the commandline, from the server hosting the icingaweb2 instance?

E.g.:

ldapsearch -H ldaps://<your.awesome.ldap.server> \
-p 636 \
-x -W \
-D "<your bind account>" \
-b "<the base dn>"

(respectively the correct arguments)

2 Likes

I slightly edited the command from @homerjay as -p is not supported with -H on my implementation. and added -d8 for more debugging output:

ldapsearch -H ldaps://<your.awesome.ldap.server:636>  -x -W -d8  -D "<your bind account>"  -b "<the base dn>"

You can add “TLS_REQCERT allow” to your ldap.conf (ubuntu: /etc/ldap/ldap.conf) to ignore wrong certificates. So you can check if its a certificate problem. Also make sure that any ca cert given in config really exists, otherwise there will be no usefull errorcode in the result.

1 Like

Hello,

Thanks for the help, the issue is now resolved.
My certificates weren’t added, steps i followed were:-
First converted my .der certificate to .pem and then .pem to .crt
openssl x509 -inform der -in my-ca.der -out my-ca.pem
openssl x509 -in my-ca.pem -inform PEM -out my-ca.crt

created another directory /usr/share/ca-certificates/extras
copied my .crt file to /usr/share/ca-certificates/extras
dpkg-reconfigure ca-certificates
selected the certificate and installed it

Finally was able to establish LDAPS connection in resources under systems on Icingaweb console.

Have a good day :-)!

2 Likes

I am still facing the issue… i have tried both Ldaps & starttls… Still facing the issue… & i have tried with both the ports 389 & 636… can you advise on this?

Check if the solution from this thread works for you:

1 Like