hello, I want my LDAP auth to be in SSL (LDAPS) or in TLS except that when I activate the option and I try to import users, it returns me nothing and in the log it indicates to me that it does not manage to join the server on the other hand when I leave clear, it connects there correctly and returns me well of the user
Question
LDAP SSL
+5
+21HI
+5Hi
My certificate was signed by an internal Certificate Authority via ADCS.
I have installed (copied) my root certificate in /etc/ssl/certs
+21+5I solved the problem by working around it,
Unfortunately, I was not able to get my Root Authority certificate to take into account,
so I used a package called Stunnel4 in which it is possible to create an encrypted tunnel between the server running stunnel and the destination server. if need be I can give the conf used (which is very basic, there are some tutorials on internet)
You said into the previously response that you solved the problem by working around it by using stunnel4, I want the way that we proceeded please.
+5OK,
I'm on debian but stunnel4 is normally also available on centos/rhel/oracle
first of all, I installed stunnel 4 on the centreon server (I'm in all-in-one mode, see which server does the auth/UI in the case of multiple servers).
first of all, of course, I activated LDAPS on my infrastructure (I have an AD, so it's not complicated, there are plenty of tutorials on the net for activating it).
once stunnel is installed and LDAP over SSL/TLS is enabled, you need to go to the stunnel config file (under debian it's in /etc/stunnel/stunnel.conf
My conf file looks like this:
output = /var/log/stunnel4/stunnel.log
pid = /var/run/stunnel4/stunnel.pid
foreground = no
cert = /etc/ssl/perso/centreon.pem
key = /etc/ssl/perso/centreon.key
[ldap]
client = yes
accept = localhost:4389
connect = <server IP/FQDN>:636I generated my local certificate with command and info:
centreon.cfg
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ req_distinguished_name ]
countryName = <countryName/countryCode>
stateOrProvinceName = <stateOrProvinceName>
localityName = <localityName>
organizationName = <organizationName>
organizationalUnitName = <organizationalUnitName>
emailAddress = <emailAddress>
0.commonName = <FQDN SERV>centreon.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = <Centreon IP>
DNS.1 = <FQDN SERV>gen-certs.sh
#! /bin/bash
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -out ecparam.pem
openssl req -newkey ec:ecparam.pem -nodes -sha256 -out centreon.csr -keyout centreon.key -config centreon.cfg -outform PEM
openssl x509 -req -in centreon.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out centreon.pem -days 365 -extfile centreon.ext -outform PEM
cp centreon.key /etc/ssl/perso/centreon.key
cp centreon.pem /etc/ssl/perso/centreon.pem
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.