I didn't make any progress on this. Zenoss pretends that I have to use a certificate delivered by a Certificate Authority Company (Comodo, GeoTrust, DigiCert, ...). Is any enterprise buying certificates for its internal servers ?
Subject: |
RE: LDAPS authentication with Enterprise CA |
Author: |
Arthur |
Posted: |
2020-04-03 07:59 |
Hi Laurent
I have a Zenoss instance RM 6.3.2 with the LDAPAuthenticator ZP Version 3.3.3 which is working.
About the history:
We tried to make it work with different configuration changes in 2018 but had no success. It came out, that it was a known defect and for the time being we had to use the ignore checkbox in the LDAP config to work around this.
We where then notified that the issue has been fixed in release RM 6.3. With the upgrade to 6.3.2 it looks like we got a new LDAPAuthenticator ZP Version 3.3.3 and with this the ignore checkbox in the LDAP config disapeared. Supriceing the LDAP authentication with the SSL checkbox checked is now working.
On the other hand I don't know excately which change made it work :-)
Currently I build up a new 6.4.1 environment and just uploading the certificate under Manage SSL Certificates does not work. So I have to find out what made it work last time.
Using a certificate delivered by a Certificate Authority Company is not an option for us!
Due to the current situation I can only share the error message from 2018 but the one I got with 6.4.1 looks similar.
Maybe you can share your one also for compairing.
2018-09-11T13:11:39 ERROR event.LDAPDelegate {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificatein certificate chain)', 'desc': "Can't contact LDAP server"}Traceback (most recent call last):File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 412, in searchconnection = self.connect(bind_dn=bind_dn, bind_pwd=bind_pwd)File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 305, in connectraise eSERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)', 'desc':"Can't contact LDAP server"}
Regards
------------------------------
Arthur
------------------------------