Hello,
I’m currently using LDAP authentication (MS Active Directory in my case) for my users.
It is working without SSL and port 389.
Because of the fact Microsoft is updating the LDAP implementation to restrict access without cert or signed LDAP I want to change CheckMK also to use LDAP signed. Is there a way to do this? At the moment I only see the option with a certificate and not signed only.
Regards
CheckMan
what do you mean by “signed only”?
If you want to use LDAP with TLS encryption (either STARTTLS on port 389/tcp or directly LDAP-over-SSL on port 636/tcp), then your LDAP server must have a TLS certificate.
For “signed” I don’t need to import the LDAP server (domain controller) certificate into my checkmk server.
@CheckMan you never need to directly import the LDAP server cert into check_mk, as long as check_mk is able to verify your certificate by root and intermedia certificates, so far you have one.
At least thats what i know.
Will this also work with non-official certificates? Our domain controller has a self-signed cert…
Yes if you give the certificate your Linux system as a trusted root cert.
These two are completely different things.
STARTTLS should not work at the moment as the option for the python LDAP module is missing inside the code (.start_tls_s()).
Sorry I don’t get it.
What do you mean exactly with “give”?
Your monitoring server must trust the certificate from the DC. Inside WATO you can add certificates to the trusted certs.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.