ZenPacks, JSON API, and Integrations

LDAPS authentication with Enterprise CA

  • 1.  LDAPS authentication with Enterprise CA

    Posted 02-05-2020 01:56 AM

    For years, we have been using the ZenPacks.zenoss.LDAPAuthenticator without SSL. Now, due to some changes on the Microsoft LDAP servers, we have been forced to use SSL encryption on LDAP.

    The latest version (3.3.3) of the ZenPack apparently doesn't allow you to skip the certificate verification. So, we reverted to a previous version (3.3.1) where you are allowed to skip the verification. This workaround should be only temporary, however we saw other problems. Note that, although it's not perfect, this method is working. I have no idea of what will happen whith the next upgrade of Zenoss/Resource Manager.

    As most enterprises, we are using our own CA's, at least for the internal access of our servers (like a connection to an internal LDAP server). We tried several options, but it seems impossible or at least difficult to setup your own CA with the LDAP Authenticator. The Customer Support of Zenoss is just recommending us to use one of the official third party CA provider (like IdenTrust, Comodo, GoDaddy, ....

    I understood that the LDAP Authenticator is using the python-ldap library, which is wrapping the OpenLDAP libraries. However, we have not been able to successfully add the CA certificates within the LDAP Authenticator.

    We are not using a self-signed certificate. We have a certificate (for the LDAP server) that's signed by a chain of internal CA's. From the prompt, on the Host level, or within the zope container, the certificate is successfully validated. So, there's no issue with the certificates.

    How did you setup your own CA server within the LDAP Authenticator ? Don't you find it normal to use the CA's of your enterprise in such a case ?

    Kind regards,

    Laurent Hemeryck
    Monitoring Engineer