Whoops:
putenv(‘LDAPTLS_CACERT=/path/to/rootca.pem’);
Note that this seems to want the CA’s cert, not your server’s cert.
Our code doesn’t have any consideration for TLS at all as far as I can see, it should all be transparent to Observium if you get PHP/LDAP into the situation where it accepts your cert.
Adam.
From: observium observium-bounces@observium.org On Behalf Of Adam Armstrong via observium Sent: 16 February 2022 23:36 To: 'Observium' observium@observium.org Cc: Adam Armstrong adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Presumably you need to extract your certs in the correct format and direct the commands to them.
The LDAP connection is done by PHP’s LDAP module. You just need to work out how to do it with PHP’s module.
It’s probably that you could override this globally with the php.ini rather than putting it in the config.php, too.
There seems to be half a dozen solutions for making this work, which isn’t uncommon with infrequently used PHP features. There’s also this:
putenv('/path/to/rootca.pem');
Adam.
From: Tony Guadagno <tonyg@guadagno.org mailto:tonyg@guadagno.org > Sent: 16 February 2022 21:57 To: Observium <observium@observium.org mailto:observium@observium.org > Cc: Adam Armstrong <adama@observium.org mailto:adama@observium.org > Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, sorry for being dense, but do I just add these two lines directly (as is) to the config.php?
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to'); ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');
I tried this with the paths to my certs and it had no affect.
Do I need to wrap those command in some other syntax?
thanks
Tony
From: Adam Armstrong via observium mailto:observium@observium.org Sent: Wednesday, February 16, 2022 4:25 PM To: 'Observium' mailto:observium@observium.org Cc: Adam Armstrong mailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-ph...
I’d assume that getting your cert and putting the two ldap_set_option() commands into config.php should suffice.
This seems like a better solution that turning off cert verification.
Adam.
From: observium <observium-bounces@observium.org mailto:observium-bounces@observium.org > On Behalf Of Tony Guadagno via observium Sent: 16 February 2022 21:03 To: Observium <observium@observium.org mailto:observium@observium.org >; Brandon Lund <brandon@kansas.net mailto:brandon@kansas.net > Cc: Tony Guadagno <tonyg@guadagno.org mailto:tonyg@guadagno.org > Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I made a packet capture on the Observium server trying to login and if you look, you will see that it is indeed a self signed issue.
How do I tell Observium to either trust the cert OR ignore the fact that it is self signed??
Tony
From: Tony Guadagno via observium mailto:observium@observium.org Sent: Wednesday, February 16, 2022 3:27 PM To: Brandon Lund mailto:brandon@kansas.net ; Observium mailto:observium@observium.org Cc: Tony Guadagno mailto:tonyg@guadagno.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Sorry, I should have been more specific…I already have other apps using ldap with tls hitting the server and they work…so I am confident my AD server is properly configured. I work a lot with ldap and I often find that some apps that integrate with ldap and tls get picky about the cert..thats why I think it might be the fact that I am using a self signed cert (which is common on AD servers).
Usually, there is a way to tell the application “ignore the fact that it is self signed, accept it anyway”
Tony
From: Brandon Lund mailto:brandon@kansas.net Sent: Wednesday, February 16, 2022 3:08 PM To: Observium mailto:observium@observium.org Cc: Tony Guadagno mailto:tonyg@guadagno.org Subject: Re: LDAP auth to MS AD with TLS Self Signed Cert
looks like you need to enable tls for ad to start listing for ldaps
no experience just a quick search.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable...
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Docs
docs.microsoft.com
Describes how to enable LDAP over SSL with a third-party certification authority.
Thanks Brandon Lund KansasNet Internet Services 785-776-1452
From: observium <observium-bounces@observium.org mailto:observium-bounces@observium.org > on behalf of Tony Guadagno via observium <observium@observium.org mailto:observium@observium.org > Sent: Wednesday, February 16, 2022 1:49 PM To: Tony Guadagno via observium Cc: Tony Guadagno Subject: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Hi,
I have ldap auth working mostly, if I set tls to false, I can authenticate. However, I want to be secure and when I enable tls, I get a debug error that says:
Error binding to LDAP server: servername.local: Can’t contact LDAP server
I am guessing the issue is the self signed cert that my server is using.
My question is…how do I configure Observium to accept self signed certs for ldap?
thanks
Tony
