Question

LDAP SSL

  • 14 October 2022
  • 8 replies
  • 265 views

Badge +3

hello, I want my LDAP auth to be in SSL (LDAPS) or in TLS except that when I activate the option and I try to import users, it returns me nothing and in the log it indicates to me that it does not manage to join the server on the other hand when I leave clear, it connects there correctly and returns me well of the user


8 replies

Userlevel 6
Badge +18

HI @Sservais your LDAP certificate is self-signed? did you register it on Centreon server?

Badge +3

Hi @Laurent,

My certificate was signed by an internal Certificate Authority via ADCS.

I have installed (copied) my root certificate in /etc/ssl/certs

 

 

Userlevel 6
Badge +18

@Sservais I’m not sure that copy a certificate into /etc/ssl/certs install it.

Badge +3

I solved the problem by working around it,

Unfortunately, I was not able to get my Root Authority certificate to take into account,

so I used a package called Stunnel4 in which it is possible to create an encrypted tunnel between the server running stunnel and the destination server. if need be I can give the conf used (which is very basic, there are some tutorials on internet) 

Badge

Hello, @Laurent I have the same issue, @Sservais can you share me the congif please? thks.

Badge +3

what configuration do you want?

Badge

You said into the previously response that you solved the problem by working around it by using stunnel4, I want the way that we proceeded please.

Badge +3

OK,
I'm on debian but stunnel4 is normally also available on centos/rhel/oracle
first of all, I installed stunnel 4 on the centreon server (I'm in all-in-one mode, see which server does the auth/UI in the case of multiple servers).

first of all, of course, I activated LDAPS on my infrastructure (I have an AD, so it's not complicated, there are plenty of tutorials on the net for activating it). 

once stunnel is installed and LDAP over SSL/TLS is enabled, you need to go to the stunnel config file (under debian it's in /etc/stunnel/stunnel.conf

 

My conf file looks like this:

output = /var/log/stunnel4/stunnel.log
pid = /var/run/stunnel4/stunnel.pid

foreground = no
cert = /etc/ssl/perso/centreon.pem
key = /etc/ssl/perso/centreon.key

[ldap]
client = yes
accept = localhost:4389
connect = <server IP/FQDN>:636

I generated my local certificate with command and info:

centreon.cfg

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ req_distinguished_name ]
countryName             = <countryName/countryCode>
stateOrProvinceName     = <stateOrProvinceName>
localityName            = <localityName>
organizationName        = <organizationName>
organizationalUnitName  = <organizationalUnitName>
emailAddress            = <emailAddress>
0.commonName            = <FQDN SERV>

centreon.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1 = <Centreon IP>
DNS.1 = <FQDN SERV>

gen-certs.sh

#! /bin/bash
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -out ecparam.pem
openssl req -newkey ec:ecparam.pem -nodes -sha256 -out centreon.csr -keyout centreon.key -config centreon.cfg -outform PEM
openssl x509 -req -in centreon.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out centreon.pem -days 365 -extfile centreon.ext -outform PEM

cp centreon.key /etc/ssl/perso/centreon.key
cp centreon.pem /etc/ssl/perso/centreon.pem

 

Reply