you ran the first command the captures the cert from the ldaps server and tried that cert right?
$
echo
\
|
openssl s_client -connect openldap:636 2>
/dev/null \
|
openssl x509 -text \
|
sed
-n -e '/BEGIN\
CERTIFICATE/,/END\ CERTIFICATE/ p'
\
>
/path/to/cert.pem
Brandon Lund
KansasNet Internet Services
785-776-1452
Sent: Wednesday, February 16, 2022 3:57 PM
To: Observium
Cc: Tony Guadagno
Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, sorry for being dense, but do I just add these two lines directly (as is) to the config.php?
ldap_set_option(null,LDAP_OPT_X_TLS_CACERTDIR,'/path/to');
ldap_set_option(null,LDAP_OPT_X_TLS_CACERTFILE,'/path/to/cert.pem');
I tried this with the paths to my certs and it had no affect.
Do I need to wrap those command in some other syntax?
thanks
Tony
From: Adam Armstrong via observium
Sent: Wednesday, February 16, 2022 4:25 PM
To: 'Observium'
Cc: Adam Armstrong
Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-phps-ldap-extension/
I’d assume that getting your cert and putting the two ldap_set_option() commands into config.php should suffice.
This seems like a better solution that turning off cert verification.
Adam.
From: observium <observium-bounces@observium.org>
On Behalf Of Tony Guadagno via observium
Sent: 16 February 2022 21:03
To: Observium <observium@observium.org>; Brandon Lund <brandon@kansas.net>
Cc: Tony Guadagno <tonyg@guadagno.org>
Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I made a packet capture on the Observium server trying to login and if you look, you will see that it is indeed a self signed issue.
How do I tell Observium to either trust the cert OR ignore the fact that it is self signed??
Tony
From:
Tony Guadagno via observium
Sent: Wednesday, February 16, 2022 3:27 PM
To: Brandon Lund;
Observium
Cc: Tony Guadagno
Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Sorry, I should have been more specific…I already have other apps using ldap with tls hitting the server and they work…so I am confident my AD server is properly configured. I work a lot with ldap and I often find that some apps that integrate with ldap and tls get picky about the cert..thats why I think it might be the fact that I am using a self signed cert (which is common on AD servers).
Usually, there is a way to tell the application “ignore the fact that it is self signed, accept it anyway”
Tony
From:
Brandon Lund
Sent: Wednesday, February 16, 2022 3:08 PM
To: Observium
Cc: Tony Guadagno
Subject: Re: LDAP auth to MS AD with TLS Self Signed Cert
looks like you need to enable tls for ad to start listing for ldaps
no experience just a quick search.
|
|
docs.microsoft.com Describes how to enable LDAP over SSL with a third-party certification authority. |
Thanks
Brandon Lund
KansasNet Internet Services
785-776-1452
From: observium <observium-bounces@observium.org> on behalf of Tony Guadagno via observium <observium@observium.org>
Sent: Wednesday, February 16, 2022 1:49 PM
To: Tony Guadagno via observium
Cc: Tony Guadagno
Subject: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Hi,
I have ldap auth working mostly, if I set tls to false, I can authenticate. However, I want to be secure and when I enable tls, I get a debug error that says:
Error binding to LDAP server: servername.local: Can’t contact LDAP server
I am guessing the issue is the self signed cert that my server is using.
My question is…how do I configure Observium to accept self signed certs for ldap?
thanks
Tony