LDAP Integration - Icinga - Validation Failing

mani.vajrala · December 20, 2019, 7:07pm

Hi Team,

I have been trying to do the LDAP integration with Icingaweb… I have added resources as shown below…

cn=ldap_icinga2 (Useraccount that i made on my AD under ou(users)

Can you please advise if i am doing something wrong?

homerjay · December 21, 2019, 11:01am

Hi.

Are you sure about ldaps?
Do you probably mean starttls?

If you mean ldaps: Do you mean port 389 oder 636?

sarojamarraj · January 21, 2020, 9:42am

I face the same issue, I’m trying to authenticate against LDAPS over 636. i get the same error.

If there anything i’m doing is wrong ?

homerjay · January 21, 2020, 11:10am

Hi.

Can you do the request successfully via the commandline, from the server hosting the icingaweb2 instance?

E.g.:

ldapsearch -H ldaps://<your.awesome.ldap.server> \
-p 636 \
-x -W \
-D "<your bind account>" \
-b "<the base dn>"

(respectively the correct arguments)

unic · January 22, 2020, 10:09am

I slightly edited the command from @homerjay as -p is not supported with -H on my implementation. and added -d8 for more debugging output:

ldapsearch -H ldaps://<your.awesome.ldap.server:636>  -x -W -d8  -D "<your bind account>"  -b "<the base dn>"

You can add “TLS_REQCERT allow” to your ldap.conf (ubuntu: /etc/ldap/ldap.conf) to ignore wrong certificates. So you can check if its a certificate problem. Also make sure that any ca cert given in config really exists, otherwise there will be no usefull errorcode in the result.

sarojamarraj · January 23, 2020, 6:34am

Hello,

Thanks for the help, the issue is now resolved.
My certificates weren’t added, steps i followed were:-
First converted my .der certificate to .pem and then .pem to .crt
openssl x509 -inform der -in my-ca.der -out my-ca.pem
openssl x509 -in my-ca.pem -inform PEM -out my-ca.crt

created another directory /usr/share/ca-certificates/extras
copied my .crt file to /usr/share/ca-certificates/extras
dpkg-reconfigure ca-certificates
selected the certificate and installed it

Finally was able to establish LDAPS connection in resources under systems on Icingaweb console.

Have a good day :-)!

mani.vajrala · February 3, 2020, 9:40pm

I am still facing the issue… i have tried both Ldaps & starttls… Still facing the issue… & i have tried with both the ports 389 & 636… can you advise on this?

log1c · February 4, 2020, 2:21pm

Check if the solution from this thread works for you: