Unable to configure AD/LDAPS connection

tschmidty · November 29, 2021, 5:04pm

I am unable to configure an LDAPS connection to my AD servers. The error I get is similar to if I try using ldapsearch with the ZZ option (connection reset), however ldapsearch works if I use the -H option instead of -h

this returns a connection reset error when looking at strace or tcpdump logs

ldapsearch -ZZ -LLL -h domaincontroller.org -p 636 -D 'CN=user,DC=ORG' -b CN=Users,DC=ORG -W
ldap_start_tls: Can't contact LDAP server (-1)

however, this works

ldapsearch -LLL -H ldaps://domaincontroller.org:636 -D 'CN=user,=Users,DC=ORG' -b CN=Users,DC=ORG -W
Enter LDAP Password:

Here are the error logs from check_mk web.log

2021-11-29 11:11:01,267 [20] [cmk.web.ldap.Connection(AD) 1505387] LDAP CONNECT - Connecting...
2021-11-29 11:11:01,269 [20] [cmk.web.ldap.Connection(AD) 1505387] LDAP_BIND CN=user,CN=Users,DC=ORG
2021-11-29 11:11:01,273 [20] [cmk.web.ldap.Connection(AD) 1505387]   FAILED (SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 104, 'ctrls': [], 'info': 'Connection reset by peer'})
2021-11-29 11:11:01,273 [20] [cmk.web.ldap.Connection(AD) 1505387]   Received MKLDAPException('LDAP connection failed:\nldaps://domaincontroller.org:636: {\'result\': -1, \'desc\': "Can\'t contact LDAP server", \'errno\': 104, \'ctrls\': [], \'info\': \'Connection reset by peer\'}'). Retrying with clean connection...

Anyone have any idea what I could be doing wrong here?

simon-mueller · November 29, 2021, 7:02pm

Are you using Sites&Services by any chance? If yes, you’ll have to query the Global Catalog (3268,3269)…

tschmidty · November 29, 2021, 7:38pm

Same result there, I can connect to 3269 with ldapsearch using SSL but not through check_mk

tschmidty · November 29, 2021, 7:46pm

OK, figured it out after looking at the source of lib/python3/cmk/gui/plugins/userdb/ldap_connector.py

I thought it would use the library SSL connections, but instead it uses its own file, var/ssl/ca-certificates.crt

After adding my domain certs to that file I was able to connect and sync.

simon-mueller · November 29, 2021, 7:48pm

Ah, so you are using self-signed certificates for your AD? Should’ve said that in the first place.

andreas-doehler · November 29, 2021, 8:48pm

That is not the reason - every AD uses her own certificates. There is no self signed one as the AD has it own CA.
What @tschmidty wrote where also my first point. AD certificates imported to the CMK site. This needs to be done inside every AD.

tschmidty · November 29, 2021, 9:09pm

Thanks @simon-mueller and @andreas-doehler We actually use a windows CA and I am well versed in trying to get those CA certs recognized in various tools. It probably could be better documented and/or a WATO place to import those certs. Or perhaps there is and I didn’t find it.

The other odd thing is just how undescriptive the error was but that is an LDAP issue and not a Check_MK problem.

robin.gierse · November 30, 2021, 6:54am

Setup -> Global settings -> Trusted certificate authorities for SSL

Also, available as a site specific global setting.

And here are the docs: User management with LDAP/Active Directory

system · November 30, 2022, 6:55am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.