Configuration & Administration

Expand all | Collapse all

LDAPS authentication with Enterprise CA

  • 1.  LDAPS authentication with Enterprise CA

    Posted 02-05-2020 01:56 AM
    Hello,

    For years, we have been using the ZenPacks.zenoss.LDAPAuthenticator without SSL. Now, due to some changes on the Microsoft LDAP servers, we have been forced to use SSL encryption on LDAP.

    The latest version (3.3.3) of the ZenPack apparently doesn't allow you to skip the certificate verification. So, we reverted to a previous version (3.3.1) where you are allowed to skip the verification. This workaround should be only temporary, however we saw other problems. Note that, although it's not perfect, this method is working. I have no idea of what will happen whith the next upgrade of Zenoss/Resource Manager.

    As most enterprises, we are using our own CA's, at least for the internal access of our servers (like a connection to an internal LDAP server). We tried several options, but it seems impossible or at least difficult to setup your own CA with the LDAP Authenticator. The Customer Support of Zenoss is just recommending us to use one of the official third party CA provider (like IdenTrust, Comodo, GoDaddy, ....

    I understood that the LDAP Authenticator is using the python-ldap library, which is wrapping the OpenLDAP libraries. However, we have not been able to successfully add the CA certificates within the LDAP Authenticator.

    We are not using a self-signed certificate. We have a certificate (for the LDAP server) that's signed by a chain of internal CA's. From the prompt, on the Host level, or within the zope container, the certificate is successfully validated. So, there's no issue with the certificates.

    How did you setup your own CA server within the LDAP Authenticator ? Don't you find it normal to use the CA's of your enterprise in such a case ?

    Kind regards,




    ------------------------------
    Laurent Hemeryck
    Monitoring Engineer
    FedNot
    ------------------------------


  • 2.  RE: LDAPS authentication with Enterprise CA

    Posted 8 days ago
    Edited by Arthur 8 days ago
    Hi Laurent

    I'm seeing the same issue. Did you made any progress on this?

    Kind regards,

    ------------------------------
    Arthur
    ------------------------------



  • 3.  RE: LDAPS authentication with Enterprise CA

    Posted 5 days ago
    Hello Arthur,

    I didn't make any progress on this. Zenoss pretends that I have to use a certificate delivered by a Certificate Authority Company (Comodo, GeoTrust, DigiCert, ...). Is any enterprise buying certificates for its internal servers ?

    Kind regards,

    Laurent

    ------------------------------
    Laurent Hemeryck
    Monitoring Engineer
    FedNot
    ------------------------------



  • 4.  RE: LDAPS authentication with Enterprise CA

    Posted 2 days ago
    Hi Laurent

    I have a Zenoss instance RM 6.3.2 with the LDAPAuthenticator ZP Version 3.3.3 which is working.

    About the history:
    We tried to make it work with different configuration changes in 2018 but had no success. It came out, that it was a known defect and for the time being we had to use the ignore checkbox in the LDAP config to work around this.

    We where then notified that the issue has been fixed in release RM 6.3. With the upgrade to 6.3.2 it looks like we got a new LDAPAuthenticator ZP Version 3.3.3  and with this the ignore checkbox in the LDAP config disapeared. Supriceing the LDAP authentication with the SSL checkbox checked is now working.
    On the other hand I don't know excately which change made it work :-)

    Currently I build up a new 6.4.1 environment and just uploading the certificate under Manage SSL Certificates does not work. So I have to find out what made it work last time.
    Using a certificate delivered by a Certificate Authority Company is not an option for us!

    Due to the current situation I can only share the error message from 2018 but the one I got with 6.4.1 looks similar.

    Maybe you can share your one also for compairing.

    2018-09-11T13:11:39 ERROR event.LDAPDelegate {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate
    in certificate chain)', 'desc': "Can't contact LDAP server"}
    Traceback (most recent call last):
    File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 412, in search
    connection = self.connect(bind_dn=bind_dn, bind_pwd=bind_pwd)
    File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 305, in connect
    raise e
    SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)', 'desc':
    "Can't contact LDAP server"}

    Regards



    ------------------------------
    Arthur
    ------------------------------