Active Directory Authentication and LDAP binding

[drug]

I've modified the code to use ad_username and ad_password (I tried both DN notation and just using the username) but I still receive the same error in the Apache log:

res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>

The browser also now displays the following after attempting to login with an AD user (sanitized):

exception 'adLDAPException' with message 'Bind to Active Directory failed. Either the LDAPs connection failed or the login credentials are incorrect. AD said: Invalid credentials' in /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php:415 Stack trace: #0 /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php(370): adLDAP->connect() #1 /usr/local/nagiosxi/html/includes/components/active_directory/active_directory.inc.php(402): adLDAP->__construct(Array) #2 /usr/local/nagiosxi/html/login.php(366): active_directory_component_check_authentication('process_auth_in...', Array) #3 /usr/local/nagiosxi/html/login.php(427): check_login_credentials('TESTEDADUSERNAME', 'TESTEDADPASSWORD, Array, Array) #4 /usr/local/nagiosxi/html/login.php(59): do_login() #5 /usr/local/nagiosxi/html/login.php(27): route_request() #6 /usr/local/nagiosxi/html/login.php(2): sg_load('100590ECE1845C2...') #7 {main}

[ssax]

How are you having it connect that it doesn't connect to the RootDSE which should allow anonymous?

[drug]

None of our AD servers allow anonymous bind through LDAP. We connect several other applications using authenticated bind without issue. Is anonymous bind a requirement for this implementation? This will be problematic for us.

[ssax]

The reason why I ask is because I'm not sure if it'll work and I would like to test it and try to help you get it working but everything I've read says you can't force auth on the rootDSE per LDAP spec so I'm asking how you have it configured so that I can lab it up here.

[drug]

I can confirm that I am unable to make anonymous binds against our AD via LDAPS. Queries only succeed with authenticated queries.

[tmcdonald]

I think at this point we need to let the developers do their thing. We can make minor edits here and there, but this is turning out to be more than just a one- or two-line fix. There is a feature request in place, and XI has been under heavy development recently since we just released XI 5. We are also releasing a new AD/LDAP component some time this week, so we'll see if the changes get added.

[drug]

Just to close this out, Nagios XI 5 resolved all of our AD binding issues. Thanks.

[hsmith]

Glad to hear it. I'll go ahead and close this one.