Adam, sorry for being dense, but do I just add these two lines directly (as is) to the config.php?
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');
I tried this with the paths to my certs and it had no affect.
Do I need to wrap those command in some other syntax?
thanks
Tony From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 4:25 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-ph...
I’d assume that getting your cert and putting the two ldap_set_option() commands into config.php should suffice.
This seems like a better solution that turning off cert verification.
Adam.
From: observium observium-bounces@observium.org On Behalf Of Tony Guadagno via observium Sent: 16 February 2022 21:03 To: Observium observium@observium.org; Brandon Lund brandon@kansas.net Cc: Tony Guadagno tonyg@guadagno.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I made a packet capture on the Observium server trying to login and if you look, you will see that it is indeed a self signed issue.
How do I tell Observium to either trust the cert OR ignore the fact that it is self signed??
[cid:image002.png@01D82356.3DB8A3E0]
Tony From: Tony Guadagno via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 3:27 PM To: Brandon Lundmailto:brandon@kansas.net; Observiummailto:observium@observium.org Cc: Tony Guadagnomailto:tonyg@guadagno.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Sorry, I should have been more specific…I already have other apps using ldap with tls hitting the server and they work…so I am confident my AD server is properly configured. I work a lot with ldap and I often find that some apps that integrate with ldap and tls get picky about the cert..thats why I think it might be the fact that I am using a self signed cert (which is common on AD servers).
Usually, there is a way to tell the application “ignore the fact that it is self signed, accept it anyway”
Tony
From: Brandon Lundmailto:brandon@kansas.net Sent: Wednesday, February 16, 2022 3:08 PM To: Observiummailto:observium@observium.org Cc: Tony Guadagnomailto:tonyg@guadagno.org Subject: Re: LDAP auth to MS AD with TLS Self Signed Cert
looks like you need to enable tls for ad to start listing for ldaps
no experience just a quick search.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable... [Image removed by sender.]https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Docshttps://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority docs.microsoft.com Describes how to enable LDAP over SSL with a third-party certification authority.
Thanks Brandon Lund KansasNet Internet Services 785-776-1452
From: observium observium-bounces@observium.org on behalf of Tony Guadagno via observium observium@observium.org Sent: Wednesday, February 16, 2022 1:49 PM To: Tony Guadagno via observium Cc: Tony Guadagno Subject: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Hi,
I have ldap auth working mostly, if I set tls to false, I can authenticate. However, I want to be secure and when I enable tls, I get a debug error that says:
Error binding to LDAP server: servername.local: Can’t contact LDAP server
I am guessing the issue is the self signed cert that my server is using.
My question is…how do I configure Observium to accept self signed certs for ldap?
thanks
Tony
