LDAP TLS SSL

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
DukeR
Posts: 26
Joined: Fri Dec 19, 2008 3:50 am

LDAP TLS SSL

Post by DukeR »

Hi everybody

I am using cacti 0.8.7b on a CentOS machine, and i wanna use the SSL or TLS encryption, but it doesn't work. Without encryption everything works fine.

this are my settings for none Encryption:

server: test.domain.com
Port Standard: 389
Port SSL: 636
Protocol: 3
Encryption: None
No searching
Distinguished Name (DN): <username>@test.domain.com
Search Base: dc=test,dc=domain,dc=com

and this for Encryption:

server: test.domain.com
Port Standard: 389
Port SSL: 636
Protocol: 3
Encryption: SSL or TLS
No searching
Distinguished Name (DN): <username>@test.domain.com
Search Base: dc=test,dc=domain,dc=com

The error messages are the following:

LDAP Error: General bind error, LDAP result: Can't contact LDAP server

or when i try to use TSL

LDAP Error: Protocol error, unable to start TLS communications

What is the problem? i saw an other post and the developer told there that he never tested this!
vpl
Posts: 15
Joined: Thu Nov 01, 2007 11:09 pm

Post by vpl »

I'm going to assume you're using Active Directory as the LDAP server.

You need to install a certificate on the domain controller. See http://support.microsoft.com/kb/321051 for instructions. Once you install the cert you can test it out using ldp (start/run/ldp). Try connecting to your server on port 636 using SSL. If everything is setup right then it will connect. You'll also see something like Host supports SSL, SSL cipher strength = 128 bits somewhere in the messages it spits out. If the certificate wasn't installed correctly then it won't connect.

After you get the server accepting LDAPS connections you'll need to configure your linux host to connect using SSL. My post at http://forums.cacti.net/viewtopic.php?t=31115 has instructions on how to do so.

You don't have to configure the binding section. I know I told you that in the pm I sent earlier, but I just tested it out and it works even if Cacti is set to "No Searching".

Good luck.
DukeR
Posts: 26
Joined: Fri Dec 19, 2008 3:50 am

Post by DukeR »

Yeah i am using active directory! But the problem is i haveno chance to change oder install anything on the AD Server!

So there is no other possibilty to bringt it up?
vpl
Posts: 15
Joined: Thu Nov 01, 2007 11:09 pm

Post by vpl »

A certificate on the domain controller is a requirement. If you can't get that installed, then I don't think you're going to get this working.

From MS:
There is no user interface for configuring LDAPS. Installing a valid certificate on a domain controller permits the LDAP service to listen for, and automatically accept, SSL connections for both LDAP and global catalog traffic.
DukeR
Posts: 26
Joined: Fri Dec 19, 2008 3:50 am

Post by DukeR »

okey thank you so much, i will see what i can do

can i pm you when i got any questions???
vpl
Posts: 15
Joined: Thu Nov 01, 2007 11:09 pm

Post by vpl »

Sure thing.
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests