Werk #19584: Fix LDAPS connections failing due to inherited CRL check settings

Component

Setup

Title

Fix LDAPS connections failing due to inherited CRL check settings

Date

May 4, 2026

Level

Trivial Change

Class

Bug Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.6.0b1 Not yet released	Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.5.0p3 Not yet released	Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p30 Not yet released	Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT

Previously, LDAPS connections to an LDAP user directory could fail on systems where libldap is linked against OpenSSL (for example Debian trixie). In this case, the global TLS_CRLCHECK setting from /etc/ldap/ldap.conf was inherited by the connection handle. If that global was set to anything other than none, OpenSSL would attempt CRL verification, which failed because no CRL distribution points were loaded.

On systems using the GnuTLS backend, CRL checks were never performed, so the issue did not occur there.

Checkmk now explicitly disables CRL checks on the LDAP connection handle, making the behavior consistent regardless of the TLS backend or global ldap.conf settings.

To the list of all Werks