Hi,
i found this thread from 2018 stating that CheckMK doesn’t support connecting to LDAP via TLS.
Does CheckMK support this, now (quite some time passed 
)?
Malte
Okay, i can answer myself here. Looked in cmk/gui/userdb/ldap_connector.py:[325,339]. It doesn’t.
As it is using python-ldap, the only missing piece would be to call the conn.start_tls_s() function and tls should work then.
I guess for user experience it would make sense to have a checkbox in the gui use tls for this.
Or is there some technical reason, why tls istn’t supported right now?
So yes, it’s just the conn.start_tls_s(). I can connect via tls now. Had to also replace ldaps with ldap in the uri, but that’s just because i don’t know the codebase and therefore don’t know where the right place for doing it is.
If there was a config option use tls, that would be easier.
Just for reference my hacky solution, ldap_connector:[309,335] now looks like:
uri = self._format_ldap_uri(server).replace('ldaps', 'ldap')
conn = ldap.ldapobject.ReconnectLDAPObject(
uri, trace_level=trace_level, trace_file=trace_file
)
conn.protocol_version = self._config.get("version", 3)
conn.network_timeout = self._config.get("connect_timeout", 2.0)
conn.retry_delay = 0.5
# When using the domain top level as base-dn, the subtree search stumbles with referral objects.
# whatever. We simply disable them here when using active directory. Hope this fixes all problems.
if self.is_active_directory():
conn.set_option(ldap.OPT_REFERRALS, 0)
if "use_ssl" in self._config:
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, str(cmk.utils.paths.trusted_ca_file))
# Caused trouble on older systems or systems with some special configuration or set of
# libraries. For example we saw a Ubuntu 17.10 system with libldap 2.4.45+dfsg-1ubuntu1 and
# libgnutls30 3.5.8-6ubuntu3 raising "ValueError: option error" while another system with
# the exact same liraries did not. Try to do this on systems that support this call and ignore
# the errors on other systems.
try:
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
except ValueError:
pass
conn.start_tls_s()
Its not clear to what you refer to.
User synchronization or check LDAP, or what?
I’m referring to the user sync.
Checkmk supports SSL (LDAPS) but not LDAP over TLS.
I know, but ssl isn’t an option it must be tls.
And since this change is actually quite trivial (well, modulo the time it takes through tribe29’s development process, i don’t know how much time that is), this should absolutely be added.
Hello @ForceFaction
I’d suggest adding this as a feature proposal in Checkmk feature portal: https://features.checkmk.com/ where people could vote for it and devs will see it 
1 Like
Alright, didn’t know this existed
1 Like
Hi all,
I would like to add a point of clarification here. Checkmk does indeed support LDAP via TLS, as in TLS version 1.2 and TLS version 1.3. This can be achieved using the (unfortunately named) “use SSL” option.
This will enable LDAPS, aka “LDAP over TLS/SSL”. With LDAPS the client will use a dedicated port (636 by default) to directly establish a TLS-encrypted connection to the server. And it will not use SSLv3, but (depending on what can be negotiated with the server) TLS 1.2 or TLS 1.3 to do so.
Now to the confusing part: In addition to LDAPS, which is not officially standardized in LDAPv3, an LDAP connection can be secured using StartTLS (much like SMTP/IMAP). This however, is not supported by Checkmk. This is also what the patch posted by @ForceFaction would work towards.
Note that the opinions are divided on the question of LDAPS vs StartTLS. StartTLS has the advantage that it’s the official way to do it as per LDAPv3; but the disadvantage that it’s possible to force a downgrade to unencrypted communication.
Hope this helps to remove some confusion
3 Likes
Hi @ForceFaction,
Do you think that based on what @Hannes clarified we could rename the topic so people searching for it could find it easier? It is rather general atm – maybe adding somehting like “Support for LDAP with StartTLS” into the title?
1 Like
sure; i fail to find the edit button though 
I can do moderator magic here
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.