SSL AD integration now working RHEL8

[sgomeztd]

Hi,

I'm building a new Nagios Server and I'm having problems with the AD integration on a RHEL8. I have copied the LDAP Integration details from our old Nagios server where it works OK (altough is a Centos 6). The certificate for HTTPS work OK.

When I try to import users I get the following error despite having add the root CA and Intermediary certificates added using the GUI. In fact, on the old Server I only have the Root and one of the Intermedaite CA but on this servers I tried to inlude all 5 of our Intermediate CA just in case but that didn't solve it either.

By the way, we are using certificates by our Windows Root CA, these are not comercial certificates.

Code: Select all

error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

I added the .pem files using the command "trust anchor certif.pem" as described on the RHEL8 documentation and I can sucesfully run the command

Code: Select all

openssl s_client -showcerts -connect ldap.server:636 

I have also tried running direct ldapsearch query but I also get an error stating it cannot find the local issuer certificate despite it being on the server if I run a "trust list" command.

Code: Select all

[root@usclwnagios01 sgomez]# ldapsearch -x -b "DC=domain" -H ldaps://ldap.server -d 1
ldap_url_parse_ext(ldaps://ldap.server)
ldap_create
ldap_url_parse_ext(ldaps://ldap.server:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.server:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.100.68.17:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 1, err: 20, subject: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

We have 5 intermediate Issuers so I end up adding all of them using the "trust anchor" command and to the LDAP Integration section of the GUI.

[kfanselow]

Hi sgomeztd,

What do you have set for TLS_CACERTDIR in your /etc/openldap/ldap.conf and what do the file permission look like ?

e.g.

Code: Select all

find /etc/openldap/ -ls 

Also appended below for convenience sake is our documentation on using SSL with Active Directory:

https://assets.nagios.com/downloads/nag ... ponent.pdf

Thanks and Best Regards,
Keith

[sgomeztd]

Hi,

I have /etc/openldap/ldap.conf is the default file, no change made to it.

Code: Select all

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by #TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

TLS_CACERTDIR /etc/openldap/cacerts

The cert symlinks get created correctly on the /etc/openladp/certs when I upload them on the NagiosXI GUI.

Code: Select all

[root@usclwnagios01 ~]# find /etc/openldap/ -ls
100968940      0 drwxrwxr-x   5  apache   nagios         65 Feb 17 05:22 /etc/openldap/
   327899      4 drwxrwxr-x   2  apache   nagios       4096 Feb 16 04:55 /etc/openldap/certs
  2226010      4 -rw-r--r--   1  apache   apache       2349 Feb 16 03:43 /etc/openldap/certs/620cb94bab302.crt
  2836630      8 -rw-r--r--   1  apache   apache       6424 Feb 16 03:43 /etc/openldap/certs/620cb94bab302.pem
  2836644      4 -rw-r--r--   1  apache   apache       1540 Feb 16 03:44 /etc/openldap/certs/620cb9592e5b0.crt
  2836645      8 -rw-r--r--   1  apache   apache       4782 Feb 16 03:44 /etc/openldap/certs/620cb9592e5b0.pem
  2836648      4 -rw-r--r--   1  apache   apache       2064 Feb 16 04:50 /etc/openldap/certs/620cc8e8a6e0a.crt
  2836667      8 -rw-r--r--   1  apache   apache       6061 Feb 16 04:50 /etc/openldap/certs/620cc8e8a6e0a.pem
  2270794      4 -rw-r--r--   1  apache   apache       2122 Feb 16 04:55 /etc/openldap/certs/620cca013d2c9.crt
  2836670      8 -rw-r--r--   1  apache   apache       6130 Feb 16 04:55 /etc/openldap/certs/620cca013d2c9.pem
  2838344      4 -rw-r--r--   1  apache   apache       2468 Feb 16 04:55 /etc/openldap/certs/620cca0e5048d.crt
  2838345      8 -rw-r--r--   1  apache   apache       7601 Feb 16 04:55 /etc/openldap/certs/620cca0e5048d.pem
  2838346      4 -rw-r--r--   1  apache   apache       2350 Feb 16 04:55 /etc/openldap/certs/620cca1833697.crt
  2838347      8 -rw-r--r--   1  apache   apache       6424 Feb 16 04:55 /etc/openldap/certs/620cca1833697.pem
102364493      4 -rw-rw-r--   1  apache   nagios        937 Feb 15 07:19 /etc/openldap/ldap.conf
100968937      0 drwxr-xr-x   2  root     root           26 Jan 27 06:50 /etc/openldap/schema
100968938     24 -rw-r--r--   1  root     root        23182 Jan 27 06:50 /etc/openldap/schema/samba.schema
 36389776      0 drwxrwxr-x   2  apache   nagios        144 Feb 16 04:55 /etc/openldap/cacerts
 36389780      0 lrwxrwxrwx   1  apache   apache         37 Feb 16 03:43 /etc/openldap/cacerts/620cb94bab302.0 -> /etc/openldap/certs/620cb94bab302.pem
 36389782      0 lrwxrwxrwx   1  apache   apache         37 Feb 16 03:44 /etc/openldap/cacerts/620cb9592e5b0.0 -> /etc/openldap/certs/620cb9592e5b0.pem
 36389783      0 lrwxrwxrwx   1  apache   apache         37 Feb 16 04:50 /etc/openldap/cacerts/620cc8e8a6e0a.0 -> /etc/openldap/certs/620cc8e8a6e0a.pem
 36389790      0 lrwxrwxrwx   1  apache   apache         37 Feb 16 04:55 /etc/openldap/cacerts/620cca013d2c9.0 -> /etc/openldap/certs/620cca013d2c9.pem
 36389791      0 lrwxrwxrwx   1  apache   apache         37 Feb 16 04:55 /etc/openldap/cacerts/620cca0e5048d.0 -> /etc/openldap/certs/620cca0e5048d.pem
 36389792      0 lrwxrwxrwx   1  apache   apache         37 Feb 16 04:55 /etc/openldap/cacerts/620cca1833697.0 -> /etc/openldap/certs/620cca1833697.pem

I have been following that document and other related with AD integration and SSL but nothing of was is decribed on them seems to be very useful in this situation.

[ssax]

Please edit your /etc/openldap/ldap.conf and uncomment this line:

Code: Select all

#TLS_CACERT     /etc/pki/tls/cert.pem

So it looks like this:

Code: Select all

TLS_CACERT     /etc/pki/tls/cert.pem

Then restart apache/php-fpm and test again:

Code: Select all

systemctl restart httpd php-fpm

If that still doesn't resolve it, do this:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/etc/pki/ca-trust/source/anchors/

Then run these commands:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm

Then test it again.


If that still doesn't resolve it (it should), please send the full output of this command:
- Change your.ad_or_ldap.server before running

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

Thank you!

[sgomeztd]

Please edit your /etc/openldap/ldap.conf and uncomment this line:

Code: Select all

#TLS_CACERT     /etc/pki/tls/cert.pem

So it looks like this:

Code: Select all

TLS_CACERT     /etc/pki/tls/cert.pem

Then restart apache/php-fpm and test again:

Code: Select all

systemctl restart httpd php-fpm

You are the best!!! Just uncomenting that line and restarting the services was enough and now both ldapsearch command and the NagiosXI AD Import feature works OK

I honestly don't know how my test server that is also a rhel8 have the AD Integration working because that line was not commented either and I realized ldapsearch was not working either :/

[ssax]

Do you have the TLS_CACERTDIR setting defined in the /etc/openldap/ldap.conf on the one you didn't have to change? If not, that would likely be why.

I think you can also adjust the apache /etc/httpd/conf.d/ssl.conf to add your CA trust and make it work as well but the system-wide method would be preferred.

[sgomeztd]

Do you have the TLS_CACERTDIR setting defined in the /etc/openldap/ldap.conf on the one you didn't have to change? If not, that would likely be why.

The ldap.conf was not edited so it had the default configuration that comes with RHEL8 and that line exist but is commented by default so all I had to do was remove the comment.

[ssax]

Okay, that makes sense.

Yeah, the issue is that I think openldap or php-ldap changed the method or something, before it used to work with the system ones without doing that and now it doesn't so it would be required.

Glad it's working, I've had to do this on other systems as well and I've reported it to development.

Let us know when we're okay to lock this up and mark it as resolved.

Thank you!

[sgomeztd]

All is working fine so mark this post as resolved.