500 Internal Server Error on CentOS 7

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
TechnicallyTrue
Posts: 25
Joined: Mon May 13, 2019 11:57 am

500 Internal Server Error on CentOS 7

Post by TechnicallyTrue »

Hello,
I've been struggling to set up Nagios Core to authenticate Active Directory users for the web interface on a CentOS machine running httpd 2.4.6. In the file /etc/httpd/conf.d/nagios.conf, I have replaced every instance of

Code: Select all

AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
with

Code: Select all

AuthBasicProvider ldap
AuthType Basic
AuthName "Active Directory Login"
AuthLDAPURL "[URL]" NONE
AuthLDAPBindDN "[Username@domain]"
AuthLDAPBindPassword [Password]
Require valid-user
When I try to access the website, however, I get an Internal Server Error. The server error logs, unhelpfully, don't show anything out of the ordinary, despite display_errors and display_startup_errors both being on and error_reporting being set to E_ALL in the php files.
I suspect that I'm just doing something wrong with Apache, but I figured I'd ask here in case I'm missing something in the nagios.conf file.
Thank you very much.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: 500 Internal Server Error on CentOS 7

Post by cdienger »

Can you provide a bit more description for teh configuration provided - the AuthLDAPURL for example are you specifying ldap://ip:port/cn=users,dc=domain...etc... ? A working example can be found at:

https://support.nagios.com/forum/viewto ... 45#p275945
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
TechnicallyTrue
Posts: 25
Joined: Mon May 13, 2019 11:57 am

Re: 500 Internal Server Error on CentOS 7

Post by TechnicallyTrue »

The AuthLDAPURL value is "ldap://[servername].[domainname].ca:3268/[servername]=[companyname],dc=ca?sAMAccountName?sub" NONE
The AuthLDAPBindDN value is "[serveradmin]@[domainname].ca"
Those are the only two points that differ from the example provided, so I'll try changing those. It is worth noting that I've run into problems in the past due to differences between Debian and RHEL distributions, so we'll see.
Thank you very much.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: 500 Internal Server Error on CentOS 7

Post by ssax »

Please run this command and PM me the resulting /tmp/HTTPDFILES.zip file:

Code: Select all

zip -r /tmp/HTTPDFILES.zip /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/
What does this command output?

Code: Select all

nmap -p 389,636,3268,3269 servername.domainname.ca
That should give us what we need to debug further.

Thank you!
TechnicallyTrue
Posts: 25
Joined: Mon May 13, 2019 11:57 am

Re: 500 Internal Server Error on CentOS 7

Post by TechnicallyTrue »

Success! Sort of.
Changed AuthLDAPBindDN to "CN=[admin],CN=Users,DC=[domain],DC=ca"
Now I have a different problem: When a user tries to connect to the webpage, it prompts for their login information over and over again, and won't let them sign on. I've tested with users explicitly added to the cgi.cfg file, so I doubt that's the issue.
I found someone with a similar problem in the thread https://support.nagios.com/forum/viewto ... =7&t=51465, but the solution there didn't work for me. I can't quite understand what their settings like OU=LAB mean, so I might be missing something, but the thread's locked so I can't ask there.
Thank you very much.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: 500 Internal Server Error on CentOS 7

Post by ssax »

Please run this tail command as root and leave it running:

Code: Select all

tail -Fn0 /var/log/httpd/error_log /var/log/httpd/ssl_error_log
Then replicate the issue again and send us the ENTIRE sanitized output.

Still send the files if you need further help as the layout of them definitely impacts the setup.
TechnicallyTrue
Posts: 25
Joined: Mon May 13, 2019 11:57 am

Re: 500 Internal Server Error on CentOS 7

Post by TechnicallyTrue »

nmap gives the following output:

Code: Select all

Starting Nmap 6.40 ( http://nmap.org ) at 2019-10-24 15:02 PDT
Nmap scan report for [server].[domain].ca (192.168.XX.XX)
Host is up (0.00027s latency).
PORT     STATE SERVICE
389/tcp  open  ldap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
MAC Address: XX:XX:XX:XX:XX:XX (VMware)
The tail command raises an error as "ssl_error_log" doesn't exist (odd that it doesn't just create it, but we'll leave that for now). In any case, just looking at the error log, we get the following when I try to login:

Code: Select all

[Thu Oct 24 15:18:13.029425 2019] [auth_basic:error] [pid 311] [client 10.121.XX.XX:52740] AH01617: user [username]: authentication failure for "/nagios/": Password Mismatch
I'll also zip up the httpd files if you think you still need that.
Thank you very much.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: 500 Internal Server Error on CentOS 7

Post by cdienger »

The configuration files will help. I'd also be curious to see what's in a tcpdump:

Code: Select all

tcpudmp -s 0 -i any host dc_ip -w output.pcap
Let it run long enough to attempt a login then use CTRL+C to stop it. The file can be reviewed with Wireshark. Feel free to PM that to me as well if you'd like to have us review it.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
TechnicallyTrue
Posts: 25
Joined: Mon May 13, 2019 11:57 am

Re: 500 Internal Server Error on CentOS 7

Post by TechnicallyTrue »

Finally got it working. Turns out the problem was with AuthLDAPBindDN. What I didn't understand from the documentation is that your comma-separated list should basically be the path to the user you're trying to bind with.
It now reads CN=[admin],OU=[The AD folder it's in],OU=[The AD folder the previous folder is in],DC=[domain name],DC=[local/com/whatever]
Just need to go bottom up through the folder structure.
Thanks to everyone who helped! It's a massive relief to have it working.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: 500 Internal Server Error on CentOS 7

Post by scottwilkerson »

TechnicallyTrue wrote:Finally got it working. Turns out the problem was with AuthLDAPBindDN. What I didn't understand from the documentation is that your comma-separated list should basically be the path to the user you're trying to bind with.
It now reads CN=[admin],OU=[The AD folder it's in],OU=[The AD folder the previous folder is in],DC=[domain name],DC=[local/com/whatever]
Just need to go bottom up through the folder structure.
Thanks to everyone who helped! It's a massive relief to have it working.
Glad to hear it is working!

Locking thread
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked