Cannot connect to AD on new nagios server

[wagnbeu0]

Hello, we are migrating our NagiosXI 2024 installation from a Centos7 server to a new RedHat8 Server. Following your guidelines I was able to do the initial installation, and restore from original backup on my new server the current nagiosXI installation.

The only thing which is not working is the connection in Nagios XI to the AD.
I already see the certificates which had been installed on the old server also in the new NagiosXI server, but when connecting to the AD i get this error:

Code: Select all

Unable to authenticate:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)

I have no idea where to put the AD root certificates. I already copied all from old server to folder /etc/pki/ca-trust/source/anchors.
Then I updated the certs files and restart the webserver and needed services:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm

But no luck, error still exist ... where else do I need to change it?

[danderson]

Thanks for reaching out @wagnbeu0,

Just an idea, but could you try re adding the certificate through the interface?

Admin -> Users -> LDAP/AD Integration -> Add Certificate

Let me know if that helps

[wagnbeu0]

@danderson We did, but the error remained.

I now enabled debugging and the output is:

Code: Select all

==> /var/log/httpd/error_log <==
[Fri May 17 12:21:29.235039 2024] [suexec:notice] [pid 23067:tid 140596908998144] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 17 12:21:29.306861 2024] [lbmethod_heartbeat:notice] [pid 23067:tid 140596908998144] AH02282: No slotmem from mod_heartmonitor
[Fri May 17 12:21:29.376978 2024] [mpm_event:notice] [pid 23067:tid 140596908998144] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k configured -- resuming normal operations
[Fri May 17 12:21:29.377030 2024] [core:notice] [pid 23067:tid 140596908998144] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

==> /var/log/httpd/ssl_error_log <==
[Fri May 17 12:21:57.911499 2024] [proxy_fcgi:error] [pid 23077:tid 140595645359872] [client 10.83.214.245:42984] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714\n', referer https://SERVERNAME-FQDN/nagiosxi/includes/components/ldap_ad_integration/index.php

[danderson]

On the LDAP/AD integration page, could you try clicking the Advanced dropdown at the bottom and toggling "Enable setup and authentication debugging" to get a better view of what's happening?

If you are on RHEL8, can you check /var/log/php-fpm/ for the error logs?

Lastly, what does the content of your ldap.conf look like? It should be in /etc/openldap/ldap.conf. Are the certificates in the certs and cacerts directorys in /etc/openldap/?

Can you connect to the server via the command line like so?

Code: Select all

ldapsearch -x -L -H 'ldaps://<Domain Controller>' -D '<User>@<Account suffix>' -w '<Password>' -b '<Base DN>' -s sub "(objectClass=user)" givenName