Page 1 of 2

Turning on ldap debug doesnt give desired output.

PostPosted: Wed Jul 10, 2019 1:12 pm
by bcoleman310
Turning on ldap debug doesnt give desired output.
I'm using LDAP and ssl.

I'm failing to auth in the gui but i can run check_ldap with all the settings i've used in the LDAP/AD setting and it passes authentication just fine.

I'm trying to see why its not passing auth in the gui.
This what i'm seeing since turning on debug:

ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP XXXXXXXXXXXXXXXXX:1636
ldap_new_socket: 102
ldap_prepare_socket: 102
ldap_connect_to_host: Trying xxxxxxxxxxxxxxxx:1636
ldap_pvt_connect: fd: 102 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fdcd491d0d0 msgid 1
wait4msg ld 0x7fdcd491d0d0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fdcd491d0d0 msgid 1 all 1
** ld 0x7fdcd491d0d0 Connections:
* host: xxxxxxxxxxxxxxxxxxxxx port: 1636 (default)
refcnt: 2 status: Connected
last used: Wed Jul 10 18:04:24 2019


** ld 0x7fdcd491d0d0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fdcd491d0d0 request count 1 (abandoned 0)
** ld 0x7fdcd491d0d0 Response Queue:
Empty
ld 0x7fdcd491d0d0 response count 0
ldap_chkResponseList ld 0x7fdcd491d0d0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fdcd491d0d0 NULL
ldap_int_select
read1msg: ld 0x7fdcd491d0d0 msgid 1 all 1
ldap_err2string
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

This really doesnt tell me anything. What else can i do to trouble shoot this?
I would love to know what variables are actually being passed to the LDAP server vs whats configured.

Thanks

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Thu Jul 11, 2019 3:22 pm
by cdienger
It looks like it is getting terminated pretty early on in the connection. What does the LDAP/AD configuration look like on the XI side, specifically for the Security drop down? Try setting it to SSL/TLS or STARTTLS if it is suppose to be a secure connection.

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Mon Jul 15, 2019 10:27 am
by bcoleman310
I'm using SSL and I've tried TLS because the other side is using tls1.2 but check_ldap works find connecting using ssl.
I don't have the option to use starttls in the dropdown. I was assuming tls and starttls were the same thing.

So neither option works atm.

Thanks

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Mon Jul 15, 2019 1:54 pm
by cdienger
It's a bit confusing and differs depending on which version XI it is, but the SSL option should negotiate TLS if it is available. Selecting the TLS option configures XI to use STARTTLS. Running a wireshark trace will show that TLS is being negotiated when SSL is selected:

Code: Select all
yum -y install tcpdump
tcpdump -s 0 -i any  port 1636 -w output.pcap


Let this run while reproducing the problem then use CTRL+C to stop it. The output.pcap can be viewed with wireshark. Feel free to PM it to me for review.

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Tue Jul 16, 2019 1:50 pm
by cdienger
Can you send me the pcap file so that I may take a closer look?

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Wed Aug 14, 2019 9:45 am
by cdienger
The tcpdump isn't showing an attempt to use TLS. What option was selected when the tcpdump was taken? What version of XI is this on?

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Thu Aug 15, 2019 7:46 am
by bcoleman310
it's tls on a non standard port.
you have to configure wireshark to see it on port 1636.
edit preferences, protocols, http, ssl / tls ports 443, 1636

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Thu Aug 15, 2019 2:56 pm
by cdienger
Oh, I'm aware of that trick :)

What I am saying is that the first real communication(after the three way tcp handshake), we see a clear text attempt to bind to the directory and not a CLIENT HELLO message that we'd see with TLS. You can see this bind attempt by decoding the traffic as LDAP.

What version of XI is this on?

What version of php? (php -v)

Please provide me with a copy of the /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ directory.

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Mon Aug 19, 2019 9:33 am
by bcoleman310
nagios is Xi version 5.2.3
php version is : PHP 5.3.21 (cli) (built: Jun 26 2015 12:55:31)

i'll pm you files you want to see.

Re: Turning on ldap debug doesnt give desired output.

PostPosted: Mon Aug 19, 2019 4:59 pm
by cdienger
The component is outdated but looks good and tested just fine. Can you PM me a screenshot of its settings page?