Hey just wondering on the process for setting up LDAPS for authentication for Observium on Debian? We currently have LDAP working successfully but looking to move to LDAPS. I've changed the port and set starttls to true in the config file but I can't work out how/where to import the certificate?
Quentin Beggs | Engineer 02 9970 2010 | 0420 361 760 Quentin.Beggs@netstrategy.net
NetStrategy Pty Ltd | help@netstrategy.net Help Desk 1300-736-383 | netstrategy.net 165 Walker St, North Sydney NSW 2060
Hi Quentin,
Obviously you're using globally valid SSL certificates on your DCs (why not?!) and this should all just work.
If not, well.. that's a systemwide thing you'd have do to. I'm not actually sure because I've never had the need to import a cert - but it's not "in Observium" you need to do it, it's libopenldap (or something) that validates. I seem to recall it's something with a CA file option in /etc/ldap.conf.
Possibly this, from https://www.php.net/manual/en/function.ldap-connect.php ?
----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<---- |Configure OpenSSL:
Extract your Root CA certificate from Active Directory, this is achived through the use of Certificate Services, a startard component of Windows 2000 Server, but may not be installed by default, (The usual Add/Remove Software method will work here). I extracted this in Base64 not DER format.
Place the extracted CAcert into the certs folder for openssl. (e.g. /usr/local/ssl/certs) and setup the hashed symlinks. This is easily done by simply running:
/usr/local/ssl/bin/c_rehash
Once this is done you can test it is worked by running:
/usr/local/ssl/bin/openssl verify -verbose -CApath /usr/local/ssl/certs /tmp/exported_cacert.pem
(Should return: OK).
Configure OpenLDAP:
Add the following to your ldap.conf file. (found as /usr/local/openldap/etc/openldap/ldap.conf)
#--begin--
# Instruct client to NOT request a server's cert. TLS_REQCERT never
# Define location of CA Cert TLS_CACERT /usr/local/ssl/certs/AD_CA_CERT.pem TLS_CACERTDIR /usr/local/ssl/certs
#--end--| ----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<----
If someone else on the list has, please do speak up - would love to document this :-)
Tom
On 2/4/2020 4:46 AM, Quentin Beggs via observium wrote:
Hey just wondering on the process for setting up LDAPS for authentication for Observium on Debian? We currently have LDAP working successfully but looking to move to LDAPS. I’ve changed the port and set starttls to true in the config file but I can’t work out how/where to import the certificate?
NetStrategy
*Quentin Beggs*| Engineer
02 9970 2010 | 0420 361 760
Quentin.Beggs@netstrategy.net mailto:Quentin.Beggs@netstrategy.net
NetStrategy Pty Ltd | help@netstrategy.net mailto:help@netstrategy.net
Help Desk 1300-736-383 | netstrategy.net http://www.netstrategy.net/
165 Walker St, North Sydney NSW 2060
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
https://manpages.debian.org/stretch/ca-certificates/update-ca-certificates.8...
-- Josh Benner Team Lead - Platform Support Engineering Send smarter emails based on open and click tags. AWeber Automations is here. https://www.aweber.com/email-automation.htm?utm_source=awemail&utm_medium=email&utm_campaign=awteam&utm_content=awteamsign_automations …And We’re Hiring! https://www.aweber.com/careers.htm?utm_source=awemail&utm_medium=email&utm_campaign=awteam&utm_content=awteamsigcareers
On February 3, 2020 at 10:46:50 PM, Quentin Beggs via observium ( observium@observium.org) wrote:
Hey just wondering on the process for setting up LDAPS for authentication for Observium on Debian? We currently have LDAP working successfully but looking to move to LDAPS. I’ve changed the port and set starttls to true in the config file but I can’t work out how/where to import the certificate?
[image: NetStrategy]
*Quentin Beggs* | Engineer
02 9970 2010 | 0420 361 760
Quentin.Beggs@netstrategy.net
NetStrategy Pty Ltd | help@netstrategy.net
Help Desk 1300-736-383 | netstrategy.net http://www.netstrategy.net/
165 Walker St, North Sydney NSW 2060
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (3)
-
Josh Benner -
Quentin Beggs -
Tom Laermans