Hi all,
I use the latest checkmk enterprise version.
We have now 2 Windows 2025 Domaincontrollers and for the LDAP check I got the message “Could not bind to the LDAP server”. Has someone any Idea what the problem could be?
Regards
Stephan
Hi,
I will assume for now that you are running a Linux CheckMK - instance ( as you have not given this detail)
I also had similar issues ( just not with AD) and in the end it was due to the fact that the CheckMK server was unable to resolve the certificate-chain.
The discussion i had was posted here : https://forum.checkmk.com/t/check-ldap-refusing-to-connect-with-tls-requirement-on-ldap-server/51349
In the end it was resolved by adding the CA certificate to the store of CheckMK.
Hope the referenced thread will help you resolve your issue in the same way it did for me.
- Glowsome
Hi,
you are right. It is a Linux system (an original CheckMK Hardware Appliance).
I have add the root certificate from our CA to the checkmk server.
If I make a test with:
openssl s_client --connect servername:636
I get this
Verify return code: 66 (EE certificate key too weak)
Stephan
i searched around and found this : https://superuser.com/questions/1640089/ssl-certificate-ee-certificate-key-too-weak
- Glowsome
Hi Glowsome,
i hade changed the openssl.cfg file. But the error is the same.
I will check if I can change the certificate of the domain controller.
I myself would not have gone down that road, as it will weaken security.
FYI : ( this was already published in 2023)
Use Strong Private Keys: Larger keys are harder to crack, but require more computing overhead. Currently, at least a 2048-bit RSA key or 256-bit ECDSA key is recommended, and most websites can achieve good security while optimizing performance and user experience with these values.
So if you are below that you should regenerate a/the key/certificate pair with atleast the above as a minimum.
- Glowsome