I've never tried self-signed. Private/internal CA works, but self-signed is not something you probably should deploy. You can disable the certificate checking in your authentication source.
The message indicates that self-signed is not supported; maybe TAC can tell you if that is correct, but if it is not too much of an effort, I would create a (private) CA and have that sign your LDAP. The easiest in AD environment would be the AD Certificate Services, but if that is not possible, you can use ClearPass Onboard as well to set up a new CA (make it long-living, think 9999 days is the max), then create a server cert from there (also make that few years at least) and install that on your AD server.
For a larger environment (or... not lab), make sure you have your certificates deployed correctly, and get professional assistance/advice if you are not sure about what to do.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 01, 2021 10:25 AM
From: Aivars Brizs
Subject: Clearpass LDAP over SSL certificates
I am configuring secure LDAP connection and during authentication attempt Clearpass complains that it is not able to establish connection with LDAP server:
2021-09-01 09:27:56,920 [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: CN=xxx,OU=xxx-xx,O=xxx bind to xxx.xxx.com:636 failed: Can't contact LDAP server
2021-09-01 09:27:56,920 [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2021-09-01 09:27:56,920 [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)
Packet capture confirms that Clearpass rejects LDAP cert.
The self signed LDAP cert is imported in the trust list and it has the following usage assigned - AD/LDAP Servers, EAP, Others.
Does Clearpass allow self signed cert usage on LDAP server for LDAP over SSL?
------------------------------
Aivars Brizs
------------------------------