Hello again,
after a couple of days and further testing, we’re able to find a solution.
We tried to play around with OpenLDAPs default implementation of GnuTLS, but we could not change the offered ciphers in a way, that EC ciphers will be available.
I then started to compile OpenLDAP myself, but using OpenSSL implementation instead of GnuTLS - and look there … we got a useful error message:
client=auth.client.form error="[password-auth.failed] failed to authenticate identity: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead\n[password-auth.invalid] invalid password"
After adding the missing SANs to the certificate, the connection between Grafana and OpenLDAP works like a charm. TLS 1.2 uses ECDHE-RSA-AES256-GCM-SHA384 and even TLS 1.3 is working with TLS_AES_256_GCM_SHA384.
We then switched back to OpenLDAP with GnuTLS and added the updated certificate with SANs to OpenLDAP and see: It’s still not working - I guess because of missing EC cipher support.
BUT I remembered the environment variable GODEBUG: "tlsrsakex=1" and tried it once again. And then the connection is working between Grafana and OpenLDAP (with GnuTLS).
So final result:
Grafana 11.3 → OpenLDAP 2.6 (GnuTLS) only works with GODEBUG: "tlsrsakex=1"
Grafana 11.3 → OpenLDAP 2.6 (OpenSSL) works like a charm
So basically the “root cause” of this issue were the missing SANs in the certificate
and maybe even the implementation of GnuTLS a bit.
May this will help others.
Thanks for your support.