[solved] LDAP Authentication against AD with SSL not working

[Schnark]

Hi All,

We've got Cacti working fine without SSL enabled to a server where you can authenticate using either with or without SSL.

For obvious reasons, we want to turn on SSL authentication. We know the certificate is fine as we're imported the ROOT CA certificates with other apps and they're able to authenticate against the server using LDAP over SSL.

We run our own ROOT CA internally and automatically deploy the certificates to all of the Windows servers and i've checked and the certificate is imported to the Windows store.

I've read what doco I can about this, but everyone who is running into problems seems to be using Linux boxes to authenticate with LDAP/SSL to the Windows AD, not Windows authenticating against Windows. I've also read http://forums.cacti.net/viewtopic.php?t=31115 which seems to point that you need to import the certificate.

Settings are as below, but can someone please tell me if we need to import the ROOT CA into the perl certificate store or somewhere else?

FYI: From the Windows 2003R2 box that hosts Cacti, you can use the windows LDP tool to successfully make a SSL LDAP connection to the Active Directory box we're trying to authenticate to.

These are the settings that work when SSL isn't enabled:

Guest User: No User
User Template: aduser
Server: <server name>
Port Standard: 389
Port SSL: 636
Protocol Version: Version 3
Encryption: None
Referrals: Disabled
Mode: Specific Searching
Distinguished Name: <username>@<activedirectorydomain.com>
Require Group Membership: Yes
Group Distingished Name: <path to group name>
Group Member Attribute: member
Group Member Type: Distingished Name
Search Base: <search location>
Search Filter: (&(objectCategory=person)(objectClass=user)(cn=<username>))
Search Distingished Name: <account Name>
Search Password: <As Applicable>

To try make this work, I've tried changing:
- Encryption to SSL
- Referrals to on
- LDAP back to ver 2

but it keeps failing with the following error:

06/11/2010 04:46:59 PM - AUTH LOGIN: LDAP Error: Unable to connect to server
06/11/2010 04:46:59 PM - AUTH LDAP_SEARCH: Unable to connect to server

Other info is:
Date Fri, 11 Jun 2010 17:02:35 +1000
Cacti Version 0.8.7e
Cacti OS win32
SNMP Version NET-SNMP version: 5.4.2.1
RRDTool Version RRDTool 1.2.x
Hosts 1448
Graphs 10281
Data Sources SNMP: 7069
SNMP Query: 6858
Script - Script Server (PHP): 2
Total: 13929

[TheWitness]

pM Rony. However, I do know that when performing. Ssl based connections from Linux to AD there is a change in /etc required. i dont know the change. I would think you could google it here.

TheWitness

[Schnark]

Hi,

I've seen in info for Linux systems that you need to import the certificate on the Linux systems which makes sense to the relevant certificate store.

The issue is, do I need to do that to a perl store on Windows or is the Windows store (as viewed via IE) okay?

The other question is, do I need OpenSSL and IOSocket:SSL enabled as per http://ldap.perl.org/FAQ.html in the what other modules section.

Cheers,

Kieran

[Schnark]

Hi,

I just found this webpage which seems to detail how to setup LDAP over SSL on Windows through PHP - i.e. exactly what Cacti is doing.

http://greg.cathell.net/php_ldap_ssl.html

I'll give this a try tomorrow and advise back how it goes.

Cheers,

Kieran

[Schnark]

Hi,

This worked a treat with a few minor tweaks.

I'm happy to try and help update the normal Cacti doco to cover this if someone can let me know the best way to do this?

Cheers,

Kieran

[lenzd1]

What were the tweaks you made? I'm getting ready to run through the instructions listed on http://greg.cathell.net/php_ldap_ssl.html to try and get ssl encryption working.

Thanks