LDAPs ressource configuration fails

[Br0cken]

Describe the bug

LDAPs validation and configuration fails.

To Reproduce

1. Run icingaweb2 configuration wizard
2. Try to validate LDAPs Resource
3. Get error message

Failed to successfully validate the configuration
Connect using LDAPS
NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server  supports LDAPS and that the LDAP-Client is configured to accept its certificate.
LDAP bind (CN=Serviceuser, OU=ORGUNIT,DC=xx,DC=yyy,DC=zzz / ***) to ldaps://dc.fqdn:636 failed: Can't contact LDAP server

Expected behavior

LDAPs configuration is validated successfully.

Your Environment

Include as many relevant details about the environment you experienced the problem in

• Icinga Web 2 version and modules (System - About): 2.12.2

• Web browser used: Microsoft Edge for Business - Version 131.0.2903.99 (Official build) (64-bit)

• Icinga 2 version used (icinga2 --version):

icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.14.3-1)

Copyright (c) 2012-2024 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Ubuntu
  Platform version: 22.04.5 LTS (Jammy Jellyfish)
  Kernel: Linux
  Kernel version: 5.15.0-126-generic
  Architecture: x86_64

Build information:
  Compiler: GNU 11.4.0
  Build host: runner-hh8q3bz2-project-575-concurrent-0
  OpenSSL version: OpenSSL 3.0.2 15 Mar 2022

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

• PHP version used (php --version):

php --version
PHP 8.3.14 (cli) (built: Nov 25 2024 18:07:16) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.14, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.14, Copyright (c), by Zend Technologies

• Server operating system and version:

Additional context

• LDAP Backend is Active Directory Domain Schema 2012
• Anonymous binds are not possible

# /etc/icingaweb2/resources.ini
[icingaweb_ldap]
type = "ldap"
hostname = "dc.fqdn"
port = "636"
encryption = "ldaps"
root_dn = "DC=xx,DC=yyy,DC=zzz"
bind_dn = "CN=Serviceuser, OU=ORGUNIT,DC=xx,DC=yyy,DC=zzz"
bind_pw = "PASSWORD"
timeout = "5"

# /etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/CERT.crt
SASL_NOCANON on
TLS_REQCERT demand
SASL_CBINDING tls-endpoint

We also tried to use TLS_REQCERT never without success.

Check LDAP and ldapsearch both work with this account as expected when executed from the commandline:

./check_ldap -H dc.fqdn -b 'DC=xx,DC=yyy,DC=zzz' -D 'CN=Serviceuser, OU=ORGUNIT,DC=xx,DC=yyy,DC=zzz' -v -P 'PASSWORD' -S            

ldapsearch -H ldaps://dc.fqdn -x -b "DC=xx,DC=yyy,DC=zzz" -D "CN=Serviceuser, OU=ORGUNIT,DC=xx,DC=yyy,DC=zzz" -W  

[Br0cken]

This was Issue was not caused by icingaweb2. /etc/ssl/certs/CERT.crt had the wrong permissions