[icinga-users] icingaweb2: STARTTLS for LDAP auth not working

Thu, 21 Jan 2016 13:27:13 -0800 

Hi all,

I'm setting up icingaweb2 using the /setup wizard and I'm at the
authentication setup section.

I've configured the icinga host to use our internal root cacert.  I'm
able to bind to both LDAP STARTTLS and LDAPS using command line tools
(ldapsearch, etc)

However, I'm unable to use either in Icingaweb2 unless I set
"TLS_REQCERT never" in ldap.conf.

When using TLS I get:

Failed to successfully validate the configuration: ldap_start_tls():
Unable to start TLS: Connect error

And something similar when using LDAPS:

NOTE: There might be an issue with the chosen encryption. Ensure that
the LDAP-Server  supports LDAPS and that the LDAP-Client is configured
to accept its certificate.
LDAP bind to corp.com:389 (u...@corp.com / ***) failed: Can't contact
LDAP server

So, this tells me that icingaweb2 is actually looking at ldap.conf,
but for some reason is not accepting the company root CA certificate.

I was also used a small php script that does a tls bind and nothing
else and was able to successfully bind, so PHP is working.

I can't think of any other layers (maybe apache? If so, how?) that I can check.

Is anyone using TLS with a local root CA?  Does anyone have any
suggestions for other things to check?  Is there a way for me to get
more debugging output from the setup wizard?

This is a RHEL7.1 box up to date as of 1-04-2016 and using the icinga
yum repo.  Versions:

icinga2-bin-2.4.1-1.el7.centos.x86_64
icingaweb2-common-2.1.2-1.el7.centos.noarch
icingaweb2-vendor-Parsedown-1.0.0-1.el7.centos.noarch
icinga2-common-2.4.1-1.el7.centos.x86_64
icinga2-2.4.1-1.el7.centos.x86_64
icingaweb2-vendor-JShrink-1.0.1-1.el7.centos.noarch
icingaweb2-vendor-HTMLPurifier-4.7.0-1.el7.centos.noarch
php-Icinga-2.1.2-1.el7.centos.noarch
icingaweb2-2.1.2-1.el7.centos.noarch
icinga2-ido-mysql-2.4.1-1.el7.centos.x86_64
icingaweb2-vendor-lessphp-0.4.0-1.el7.centos.noarch
icingaweb2-vendor-dompdf-0.6.1-1.el7.centos.noarch
icingacli-2.1.2-1.el7.centos.noarch

(Also, but unrelated:  when I try to register at monitoring-portal.org
it fails with "server error".  I know that's not an icinga-users
issue, but hopefully someone who can do something will be notified.)

Thanks for reading,

--Jason
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Reply via email to