[SOLVED] Active Directory via LDAPS

[unix3]

Hello,
I need to integrate Proxmox Cluster with Active Directory, I managed to integrate it and sync users and groups via LDAP.
Now for security reasons I wanted to test the configuration via LDPAS so I changed the mode, without certificate verification and everything continued to work;
At this point I copied the self-signed CA root (cacert.pem), into one node of the cluster, within the /etc/ssl/certs directory, the output below

wxrwxrwx 1 root root     43 Nov  8 20:11 cacert.pem -> /usr/local/share/ca-certificates/cacert.crt

I did a test to verify the CA with the AD certificate (ad_test_server.crt) as follows:

# openssl verify -CAfile cacert.pem ad_test_server.crt
ad_test_server.crt: OK

My domain.cfg file is as follows:

ad: test
        domain test.intranet
        server1 10.0.2.50
        base_dn DC=test,DC=intranet
        bind_dn admin
        case-sensitive 1
        default 0
        mode ldaps
        sync-defaults-options scope=both

If I try to activate the Certificate verification I get:

update auth server failed: hostname verification failed (500)

 

[cheiss]

Hi,

update auth server failed: hostname verification failed (500)

on a hunch, since it apparently fails to verify to hostname, you probably have to set server1 to the appropriate hostname as listed in the certificate under "Subject Alternative Names", not the IP.

You can list the valid hostnames for the certificates using e.g. openssl x509 -noout -text -in cert.crt | grep DNS:

 

[unix3]

Hello Christoph,
you are absolutely right, I retrieved the FQDN inside the crt file and then I entered it inside the domains.cfg file instead of using the IP, it works like a sharm!

Thanks a lot

 

[cheiss]

Great to hear that fixed it!

Please just mark the thread as SOLVED by editing the first post, there should be a dropdown near the title field - this helps others find this thread more easily in the future