Am 21.01.2016 um 22:26 schrieb KodaK: > Hi all, > > I'm setting up icingaweb2 using the /setup wizard and I'm at the > authentication setup section. > > I've configured the icinga host to use our internal root cacert. I'm > able to bind to both LDAP STARTTLS and LDAPS using command line tools > (ldapsearch, etc) > > However, I'm unable to use either in Icingaweb2 unless I set > "TLS_REQCERT never" in ldap.conf. > > When using TLS I get: > > Failed to successfully validate the configuration: ldap_start_tls(): > Unable to start TLS: Connect error > > And something similar when using LDAPS: > > NOTE: There might be an issue with the chosen encryption. Ensure that > the LDAP-Server supports LDAPS and that the LDAP-Client is configured > to accept its certificate. > LDAP bind to corp.com:389 (u...@corp.com / ***) failed: Can't contact > LDAP server > > So, this tells me that icingaweb2 is actually looking at ldap.conf, > but for some reason is not accepting the company root CA certificate. > > I was also used a small php script that does a tls bind and nothing > else and was able to successfully bind, so PHP is working. > > I can't think of any other layers (maybe apache? If so, how?) that I can > check. > > Is anyone using TLS with a local root CA? Does anyone have any > suggestions for other things to check? Is there a way for me to get > more debugging output from the setup wizard? > > This is a RHEL7.1 box up to date as of 1-04-2016 and using the icinga > yum repo. Versions: > > icinga2-bin-2.4.1-1.el7.centos.x86_64 > icingaweb2-common-2.1.2-1.el7.centos.noarch > icingaweb2-vendor-Parsedown-1.0.0-1.el7.centos.noarch > icinga2-common-2.4.1-1.el7.centos.x86_64 > icinga2-2.4.1-1.el7.centos.x86_64 > icingaweb2-vendor-JShrink-1.0.1-1.el7.centos.noarch > icingaweb2-vendor-HTMLPurifier-4.7.0-1.el7.centos.noarch > php-Icinga-2.1.2-1.el7.centos.noarch > icingaweb2-2.1.2-1.el7.centos.noarch > icinga2-ido-mysql-2.4.1-1.el7.centos.x86_64 > icingaweb2-vendor-lessphp-0.4.0-1.el7.centos.noarch > icingaweb2-vendor-dompdf-0.6.1-1.el7.centos.noarch > icingacli-2.1.2-1.el7.centos.noarch > > (Also, but unrelated: when I try to register at monitoring-portal.org > it fails with "server error". I know that's not an icinga-users > issue, but hopefully someone who can do something will be notified.) > > Thanks for reading, > > --Jason > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users >
I've installed icinga2/icingaweb2 on a RHEL6 system. I've started with MySQL as backend first and configured the LDAP connection after I got the interface up and running. I've put all certificates in our CA chain in /etc/pki/tls/certs. They must be readable for the users in the system (apache, icinga, ..) or your client won't be able to verify the LDAP certificate. And in /etc/openldap/ldap.conf: BASE dc=....,dc=.... TLS_CACERTDIR /etc/pki/tls/certs TLS_REQCERT demand No problem so far.... after I increased the memory_limit in php.ini.... No wonder with about 90000 objects in our ou=People. Regards Berthold _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
