[Check_mk (english)] LDAP over TLS

spencerbutler · March 16, 2018, 7:31pm

Hello All,

I’m trying to use the LDAP feature of cmk and have yet to get it to work. Maybe someone else has resolved a similar situation.

Our LDAP (openldap v3) uses TLS and listens on the regular port 389. From the command line I can connect as expected. However, when I put these same values in WATO, I get an error stating “confidentiality required

This works as expected on the server. The “-Z” starts the TLS request. It doesn’t look like python-ldap is starting the TLS and I don’t see an option in checkmk to provide this option. Thanks in advance for any ideas to help resolve this.

ldapsearch -Z -H ldap://auth-test.company -D “cn=manager,dc=company,dc=net” -W -b “dc=company,dc=net”

r.sander · March 17, 2018, 10:39am

Check_MK currently does not support STARTTLS on LDAP. You can use SSL on
Port 636 to get the LDAP connection encrypted.

Regards

···

Am 16.03.2018 um 20:31 schrieb Spencer Butler:

This works as expected on the server. The “-Z” starts the TLS request.
It doesn’t look like python-ldap is starting the TLS and I don’t see an
option in checkmk to provide this option. Thanks in advance for any
ideas to help resolve this.

--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin

spencerbutler · March 19, 2018, 12:51pm

Check_MK currently does not support STARTTLS on LDAP. You can use SSL on Port 636 to get the LDAP connection encrypted.

Is there a timeline for STARTTLS support? Using ldaps is not an option in our environment.

Regards

···

-----Original Message-----
From: checkmk-en [mailto:checkmk-en-bounces@lists.mathias-kettner.de] On Behalf Of Robert Sander
Sent: Saturday, March 17, 2018 05:39
To: checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] LDAP over TLS

Am 16.03.2018 um 20:31 schrieb Spencer Butler:

This works as expected on the server. The "-Z" starts the TLS request.
It doesn't look like python-ldap is starting the TLS and I don't see
an option in checkmk to provide this option. Thanks in advance for
any ideas to help resolve this.

--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin