Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, I finally got this working. I have written up a quick guide to making this work, would it be possible for you to put this in your documentation page for LDAP Authentication? I am sure I will loose it if it is not somewhere obvious
Directions for enabling LDAP with TLS when connecting to an LDAP server with a self signed certificate or a CA that the Observium server does not recognize
Assumptions:
you have already enabled SSL/TLS for ldap on your Microsoft Domain Controller (or other LDAP server)
Observium is installed on a Fedora flavor of Linux version 7 or 8 (this might work with Ubuntu but i am not sure the commands are the same)
Observium is configured for LDAP AND TLS per the authentication documentation page
On the Observium server:
yum install php-ldap
vim /etc/openldap/ldap.conf
make sure these 2 config options are commented out
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERT /etc/openldap/certs/cert.crt
Add/Change this config option to either hard or allow
TLS_REQCERT hard
“hard” means that the LDAP server MUST present a cert and the cert must be trustworthy OR in the trusted cert store (this is the more secure method)
“allow” mean that the LDAP server MUST present a cert and the cert can be anything...valid or invalid
setting to “hard” is better because it prevents an imposter from stealing the ip address of the LDAP server and intercepting the messages from Observium
If you are setting TLS_REQCERT to “hard” then take these additional steps:
export the LDAP server cert in b64 format with NO KEY
place cert of LDAP server in ‘/etc/pki/ca-trust/source/anchors’ folder
run ‘update-ca-trust’ as root
Tony From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 7:29 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I’ve never used LDAP, so I’m not really sure how this should be done.
You can put the putenv stuff in config.php. So long as the variable is set before LDAP tries to start the connection that should be sufficient.
Observium doesn’t have any configuration related to this itself. You just need to coax whatever conglomeration of PHP and OpenLDAP code exists into talking to your LDAP server.
You might be able to turn of the cert checking by putting “TLS_REQCERT never” into ldap.conf, probably /etc/openldap/ldap.conf or somewhere similar.
Adam.
From: Tony Guadagno tonyg@guadagno.org Sent: 16 February 2022 23:55 To: Observium observium@observium.org Cc: Adam Armstrong adama@observium.org Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, I have the cert for my AD server, as I said, I am pretty familiar with this process as I use ldap often for application authentication….what I am not very familiar with is php. Other apps have config options to set the paths for the certs etc. What I need help with is where (specifically) to put the config so that Observium will use it. I have the certs, I just need the syntax
You mentioned putenv…where would I put that? It must be somewhere in Observium?
Thanks for your help
Tony
From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 6:42 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Whoops:
putenv(‘LDAPTLS_CACERT=/path/to/rootca.pem’);
Note that this seems to want the CA’s cert, not your server’s cert.
Our code doesn’t have any consideration for TLS at all as far as I can see, it should all be transparent to Observium if you get PHP/LDAP into the situation where it accepts your cert.
Adam.
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> On Behalf Of Adam Armstrong via observium Sent: 16 February 2022 23:36 To: 'Observium' <observium@observium.orgmailto:observium@observium.org> Cc: Adam Armstrong <adama@observium.orgmailto:adama@observium.org> Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Presumably you need to extract your certs in the correct format and direct the commands to them.
The LDAP connection is done by PHP’s LDAP module. You just need to work out how to do it with PHP’s module.
It’s probably that you could override this globally with the php.ini rather than putting it in the config.php, too.
There seems to be half a dozen solutions for making this work, which isn’t uncommon with infrequently used PHP features. There’s also this:
putenv('/path/to/rootca.pem');
Adam.
From: Tony Guadagno <tonyg@guadagno.orgmailto:tonyg@guadagno.org> Sent: 16 February 2022 21:57 To: Observium <observium@observium.orgmailto:observium@observium.org> Cc: Adam Armstrong <adama@observium.orgmailto:adama@observium.org> Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, sorry for being dense, but do I just add these two lines directly (as is) to the config.php?
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');
I tried this with the paths to my certs and it had no affect.
Do I need to wrap those command in some other syntax?
thanks
Tony From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 4:25 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-ph...
I’d assume that getting your cert and putting the two ldap_set_option() commands into config.php should suffice.
This seems like a better solution that turning off cert verification.
Adam.
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> On Behalf Of Tony Guadagno via observium Sent: 16 February 2022 21:03 To: Observium <observium@observium.orgmailto:observium@observium.org>; Brandon Lund <brandon@kansas.netmailto:brandon@kansas.net> Cc: Tony Guadagno <tonyg@guadagno.orgmailto:tonyg@guadagno.org> Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I made a packet capture on the Observium server trying to login and if you look, you will see that it is indeed a self signed issue.
How do I tell Observium to either trust the cert OR ignore the fact that it is self signed??
[cid:image002.png@01D8240F.9412F790]
Tony From: Tony Guadagno via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 3:27 PM To: Brandon Lundmailto:brandon@kansas.net; Observiummailto:observium@observium.org Cc: Tony Guadagnomailto:tonyg@guadagno.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Sorry, I should have been more specific…I already have other apps using ldap with tls hitting the server and they work…so I am confident my AD server is properly configured. I work a lot with ldap and I often find that some apps that integrate with ldap and tls get picky about the cert..thats why I think it might be the fact that I am using a self signed cert (which is common on AD servers).
Usually, there is a way to tell the application “ignore the fact that it is self signed, accept it anyway”
Tony
From: Brandon Lundmailto:brandon@kansas.net Sent: Wednesday, February 16, 2022 3:08 PM To: Observiummailto:observium@observium.org Cc: Tony Guadagnomailto:tonyg@guadagno.org Subject: Re: LDAP auth to MS AD with TLS Self Signed Cert
looks like you need to enable tls for ad to start listing for ldaps
no experience just a quick search.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable... [Image removed by sender.]https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Docshttps://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority docs.microsoft.com Describes how to enable LDAP over SSL with a third-party certification authority.
Thanks Brandon Lund KansasNet Internet Services 785-776-1452
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of Tony Guadagno via observium <observium@observium.orgmailto:observium@observium.org> Sent: Wednesday, February 16, 2022 1:49 PM To: Tony Guadagno via observium Cc: Tony Guadagno Subject: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Hi,
I have ldap auth working mostly, if I set tls to false, I can authenticate. However, I want to be secure and when I enable tls, I get a debug error that says:
Error binding to LDAP server: servername.local: Can’t contact LDAP server
I am guessing the issue is the self signed cert that my server is using.
My question is…how do I configure Observium to accept self signed certs for ldap?
thanks
Tony
This looks like it’s working to me. It’s logged you in and inserted the login event into the database.
Disable debugging and it’ll probably be working.
Sent from my iPhone
On 17 Feb 2022, at 20:21, Tony Guadagno tonyg@guadagno.org wrote:
Adam, I finally got this working. I have written up a quick guide to making this work, would it be possible for you to put this in your documentation page for LDAP Authentication? I am sure I will loose it if it is not somewhere obvious
Directions for enabling LDAP with TLS when connecting to an LDAP server with a self signed certificate or a CA that the Observium server does not recognize
Assumptions:
you have already enabled SSL/TLS for ldap on your Microsoft Domain Controller (or other LDAP server)
Observium is installed on a Fedora flavor of Linux version 7 or 8 (this might work with Ubuntu but i am not sure the commands are the same)
Observium is configured for LDAP AND TLS per the authentication documentation page
On the Observium server:
yum install php-ldap
vim /etc/openldap/ldap.conf
make sure these 2 config options are commented out
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERT /etc/openldap/certs/cert.crt
Add/Change this config option to either hard or allow
TLS_REQCERT hard
“hard” means that the LDAP server MUST present a cert and the cert must be trustworthy OR in the trusted cert store (this is the more secure method)
“allow” mean that the LDAP server MUST present a cert and the cert can be anything...valid or invalid
setting to “hard” is better because it prevents an imposter from stealing the ip address of the LDAP server and intercepting the messages from Observium
If you are setting TLS_REQCERT to “hard” then take these additional steps:
export the LDAP server cert in b64 format with NO KEY
place cert of LDAP server in ‘/etc/pki/ca-trust/source/anchors’ folder
run ‘update-ca-trust’ as root
Tony From: Adam Armstrong via observium Sent: Wednesday, February 16, 2022 7:29 PM To: 'Observium' Cc: Adam Armstrong Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I’ve never used LDAP, so I’m not really sure how this should be done.
You can put the putenv stuff in config.php. So long as the variable is set before LDAP tries to start the connection that should be sufficient.
Observium doesn’t have any configuration related to this itself. You just need to coax whatever conglomeration of PHP and OpenLDAP code exists into talking to your LDAP server.
You might be able to turn of the cert checking by putting “TLS_REQCERT never” into ldap.conf, probably /etc/openldap/ldap.conf or somewhere similar.
Adam.
From: Tony Guadagno tonyg@guadagno.org Sent: 16 February 2022 23:55 To: Observium observium@observium.org Cc: Adam Armstrong adama@observium.org Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, I have the cert for my AD server, as I said, I am pretty familiar with this process as I use ldap often for application authentication….what I am not very familiar with is php. Other apps have config options to set the paths for the certs etc. What I need help with is where (specifically) to put the config so that Observium will use it. I have the certs, I just need the syntax
You mentioned putenv…where would I put that? It must be somewhere in Observium?
Thanks for your help
Tony
From: Adam Armstrong via observium Sent: Wednesday, February 16, 2022 6:42 PM To: 'Observium' Cc: Adam Armstrong Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Whoops:
putenv(‘LDAPTLS_CACERT=/path/to/rootca.pem’);
Note that this seems to want the CA’s cert, not your server’s cert.
Our code doesn’t have any consideration for TLS at all as far as I can see, it should all be transparent to Observium if you get PHP/LDAP into the situation where it accepts your cert.
Adam.
From: observium observium-bounces@observium.org On Behalf Of Adam Armstrong via observium Sent: 16 February 2022 23:36 To: 'Observium' observium@observium.org Cc: Adam Armstrong adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Presumably you need to extract your certs in the correct format and direct the commands to them.
The LDAP connection is done by PHP’s LDAP module. You just need to work out how to do it with PHP’s module.
It’s probably that you could override this globally with the php.ini rather than putting it in the config.php, too.
There seems to be half a dozen solutions for making this work, which isn’t uncommon with infrequently used PHP features. There’s also this:
putenv('/path/to/rootca.pem');
Adam.
From: Tony Guadagno tonyg@guadagno.org Sent: 16 February 2022 21:57 To: Observium observium@observium.org Cc: Adam Armstrong adama@observium.org Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, sorry for being dense, but do I just add these two lines directly (as is) to the config.php?
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to'); ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');
I tried this with the paths to my certs and it had no affect.
Do I need to wrap those command in some other syntax?
thanks
Tony From: Adam Armstrong via observium Sent: Wednesday, February 16, 2022 4:25 PM To: 'Observium' Cc: Adam Armstrong Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-ph...
I’d assume that getting your cert and putting the two ldap_set_option() commands into config.php should suffice.
This seems like a better solution that turning off cert verification.
Adam.
From: observium observium-bounces@observium.org On Behalf Of Tony Guadagno via observium Sent: 16 February 2022 21:03 To: Observium observium@observium.org; Brandon Lund brandon@kansas.net Cc: Tony Guadagno tonyg@guadagno.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I made a packet capture on the Observium server trying to login and if you look, you will see that it is indeed a self signed issue.
How do I tell Observium to either trust the cert OR ignore the fact that it is self signed??
Tony From: Tony Guadagno via observium Sent: Wednesday, February 16, 2022 3:27 PM To: Brandon Lund; Observium Cc: Tony Guadagno Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Sorry, I should have been more specific…I already have other apps using ldap with tls hitting the server and they work…so I am confident my AD server is properly configured. I work a lot with ldap and I often find that some apps that integrate with ldap and tls get picky about the cert..thats why I think it might be the fact that I am using a self signed cert (which is common on AD servers).
Usually, there is a way to tell the application “ignore the fact that it is self signed, accept it anyway”
Tony
From: Brandon Lund Sent: Wednesday, February 16, 2022 3:08 PM To: Observium Cc: Tony Guadagno Subject: Re: LDAP auth to MS AD with TLS Self Signed Cert
looks like you need to enable tls for ad to start listing for ldaps
no experience just a quick search.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable...
Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Docs docs.microsoft.com Describes how to enable LDAP over SSL with a third-party certification authority.
Thanks Brandon Lund KansasNet Internet Services 785-776-1452
From: observium observium-bounces@observium.org on behalf of Tony Guadagno via observium observium@observium.org Sent: Wednesday, February 16, 2022 1:49 PM To: Tony Guadagno via observium Cc: Tony Guadagno Subject: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Hi,
I have ldap auth working mostly, if I set tls to false, I can authenticate. However, I want to be secure and when I enable tls, I get a debug error that says:
Error binding to LDAP server: servername.local: Can’t contact LDAP server
I am guessing the issue is the self signed cert that my server is using.
My question is…how do I configure Observium to accept self signed certs for ldap?
thanks
Tony
Would it be possible to post my configuration notes in the documentation so the knowledge is not lost?
Tony
From: Adam Armstrong via observiummailto:observium@observium.org Sent: Thursday, February 17, 2022 3:42 PM To: Observiummailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
This looks like it’s working to me. It’s logged you in and inserted the login event into the database.
Disable debugging and it’ll probably be working.
Sent from my iPhone
On 17 Feb 2022, at 20:21, Tony Guadagno tonyg@guadagno.org wrote:
Adam, I finally got this working. I have written up a quick guide to making this work, would it be possible for you to put this in your documentation page for LDAP Authentication? I am sure I will loose it if it is not somewhere obvious
Directions for enabling LDAP with TLS when connecting to an LDAP server with a self signed certificate or a CA that the Observium server does not recognize
Assumptions:
you have already enabled SSL/TLS for ldap on your Microsoft Domain Controller (or other LDAP server)
Observium is installed on a Fedora flavor of Linux version 7 or 8 (this might work with Ubuntu but i am not sure the commands are the same)
Observium is configured for LDAP AND TLS per the authentication documentation page
On the Observium server:
yum install php-ldap
vim /etc/openldap/ldap.conf
make sure these 2 config options are commented out
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERT /etc/openldap/certs/cert.crt
Add/Change this config option to either hard or allow
TLS_REQCERT hard
“hard” means that the LDAP server MUST present a cert and the cert must be trustworthy OR in the trusted cert store (this is the more secure method)
“allow” mean that the LDAP server MUST present a cert and the cert can be anything...valid or invalid
setting to “hard” is better because it prevents an imposter from stealing the ip address of the LDAP server and intercepting the messages from Observium
If you are setting TLS_REQCERT to “hard” then take these additional steps:
export the LDAP server cert in b64 format with NO KEY
place cert of LDAP server in ‘/etc/pki/ca-trust/source/anchors’ folder
run ‘update-ca-trust’ as root
Tony From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 7:29 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I’ve never used LDAP, so I’m not really sure how this should be done.
You can put the putenv stuff in config.php. So long as the variable is set before LDAP tries to start the connection that should be sufficient.
Observium doesn’t have any configuration related to this itself. You just need to coax whatever conglomeration of PHP and OpenLDAP code exists into talking to your LDAP server.
You might be able to turn of the cert checking by putting “TLS_REQCERT never” into ldap.conf, probably /etc/openldap/ldap.conf or somewhere similar.
Adam.
From: Tony Guadagno tonyg@guadagno.org Sent: 16 February 2022 23:55 To: Observium observium@observium.org Cc: Adam Armstrong adama@observium.org Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, I have the cert for my AD server, as I said, I am pretty familiar with this process as I use ldap often for application authentication….what I am not very familiar with is php. Other apps have config options to set the paths for the certs etc. What I need help with is where (specifically) to put the config so that Observium will use it. I have the certs, I just need the syntax
You mentioned putenv…where would I put that? It must be somewhere in Observium?
Thanks for your help
Tony
From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 6:42 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Whoops:
putenv(‘LDAPTLS_CACERT=/path/to/rootca.pem’);
Note that this seems to want the CA’s cert, not your server’s cert.
Our code doesn’t have any consideration for TLS at all as far as I can see, it should all be transparent to Observium if you get PHP/LDAP into the situation where it accepts your cert.
Adam.
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> On Behalf Of Adam Armstrong via observium Sent: 16 February 2022 23:36 To: 'Observium' <observium@observium.orgmailto:observium@observium.org> Cc: Adam Armstrong <adama@observium.orgmailto:adama@observium.org> Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Presumably you need to extract your certs in the correct format and direct the commands to them.
The LDAP connection is done by PHP’s LDAP module. You just need to work out how to do it with PHP’s module.
It’s probably that you could override this globally with the php.ini rather than putting it in the config.php, too.
There seems to be half a dozen solutions for making this work, which isn’t uncommon with infrequently used PHP features. There’s also this:
putenv('/path/to/rootca.pem');
Adam.
From: Tony Guadagno <tonyg@guadagno.orgmailto:tonyg@guadagno.org> Sent: 16 February 2022 21:57 To: Observium <observium@observium.orgmailto:observium@observium.org> Cc: Adam Armstrong <adama@observium.orgmailto:adama@observium.org> Subject: RE: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Adam, sorry for being dense, but do I just add these two lines directly (as is) to the config.php?
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');
I tried this with the paths to my certs and it had no affect.
Do I need to wrap those command in some other syntax?
thanks
Tony From: Adam Armstrong via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 4:25 PM To: 'Observium'mailto:observium@observium.org Cc: Adam Armstrongmailto:adama@observium.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-ph...
I’d assume that getting your cert and putting the two ldap_set_option() commands into config.php should suffice.
This seems like a better solution that turning off cert verification.
Adam.
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> On Behalf Of Tony Guadagno via observium Sent: 16 February 2022 21:03 To: Observium <observium@observium.orgmailto:observium@observium.org>; Brandon Lund <brandon@kansas.netmailto:brandon@kansas.net> Cc: Tony Guadagno <tonyg@guadagno.orgmailto:tonyg@guadagno.org> Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
I made a packet capture on the Observium server trying to login and if you look, you will see that it is indeed a self signed issue.
How do I tell Observium to either trust the cert OR ignore the fact that it is self signed??
[62DC804EE62541B7A8F8B67E1B1EF7C4.png]
Tony From: Tony Guadagno via observiummailto:observium@observium.org Sent: Wednesday, February 16, 2022 3:27 PM To: Brandon Lundmailto:brandon@kansas.net; Observiummailto:observium@observium.org Cc: Tony Guadagnomailto:tonyg@guadagno.org Subject: Re: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Sorry, I should have been more specific…I already have other apps using ldap with tls hitting the server and they work…so I am confident my AD server is properly configured. I work a lot with ldap and I often find that some apps that integrate with ldap and tls get picky about the cert..thats why I think it might be the fact that I am using a self signed cert (which is common on AD servers).
Usually, there is a way to tell the application “ignore the fact that it is self signed, accept it anyway”
Tony
From: Brandon Lundmailto:brandon@kansas.net Sent: Wednesday, February 16, 2022 3:08 PM To: Observiummailto:observium@observium.org Cc: Tony Guadagnomailto:tonyg@guadagno.org Subject: Re: LDAP auth to MS AD with TLS Self Signed Cert
looks like you need to enable tls for ad to start listing for ldaps
no experience just a quick search.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable... [A2DF205B3E134C60B0CA04895202EC79.jpg]https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) - Windows Server | Microsoft Docshttps://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority docs.microsoft.com Describes how to enable LDAP over SSL with a third-party certification authority.
Thanks Brandon Lund KansasNet Internet Services 785-776-1452
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of Tony Guadagno via observium <observium@observium.orgmailto:observium@observium.org> Sent: Wednesday, February 16, 2022 1:49 PM To: Tony Guadagno via observium Cc: Tony Guadagno Subject: [Observium] LDAP auth to MS AD with TLS Self Signed Cert
Hi,
I have ldap auth working mostly, if I set tls to false, I can authenticate. However, I want to be secure and when I enable tls, I get a debug error that says:
Error binding to LDAP server: servername.local: Can’t contact LDAP server
I am guessing the issue is the self signed cert that my server is using.
My question is…how do I configure Observium to accept self signed certs for ldap?
thanks
Tony
participants (2)
-
Adam Armstrong -
Tony Guadagno