Active Directory Integration with SSL

[OptimusB]

I am trying to configure our Nagios XI implementation with AD Integration with SSL. I am following the instructions outlined by the document, but am not able to get this working. I confirmed the AD settings within the component is configured correctly as it works when Security is set to none.

I suspect I must be missing something or am configuring this incorrectly. Our DC has an actual certificate and not a self-signed. So when preparing the .crt file, there are 3 levels of certificates involved.

This outputs two VeriSign certs before showing the actual server certificate.

Code: Select all

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1

depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1

Would I need additional configurations in this scenario? I tested with the "certificate code" but it doesn't work. Thanks in advance.

[tgriep]

Can you run the following when you enable SSL on the server and post back the results?

Code: Select all

tail -200 /var/log/httpd/access_log
tail -200 /var/log/httpd/error_log

I just want to make sure, is this the document you followed to enable SSL with AD?

Code: Select all

http://assets.nagios.com/downloads/nagiosxi/docs/Using_SSL_with_XI_Active_Directory_Component.pdf

[OptimusB]

That's the document I followed. I also read elsewhere that LDAP with SSL requires a 2012 DFL? Is this correct?
Attached are the log files.

[tgriep]

SSL and LDAP has been supported since server 2003.
Is the name of your domain controller kdcbchngoxi01?

[OptimusB]

Ok. Just thought that it required 2012 DFL for SSL.
That's not the name of the DC. That's the name of our XI.

[ssax]

As a test can you run the command below and post any errors:

Code: Select all

ldapsearch -x -d 1 -LLL -H ldaps://YOURADSERVER -b 'dc=campus,dc=local' -D 'USERNAME' -W '(sAMAccountName=username)'

Make sure to change "YOURADSERVER", "dc=campus,dc=local", and "USERNAME"

Reference: http://serverfault.com/a/296495

[OptimusB]

looks like ldapsearch is not included in the appliance? I cannot find it. I'll get the package installed/upgraded and report back.

[lmiltchev]

Keep us posted. We will keep the thread open.

[OptimusB]

Thanks for waiting. Here's the result of the ldapsearch. I had to remove/replace some information.

So I think the connection is ok from the looks of it, but I am not able to authenticate?

Code: Select all

ldap_url_parse_ext(ldaps://dc)
ldap_create
ldap_url_parse_ext(ldaps://dc:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <IP>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: loaded CA certificate file /etc/openldap/cacerts.pem.
TLS: certificate [<REMOVED>] is valid
TLS certificate verification: subject: <REMOVED>, issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Tr ust Network,O="VeriSign, Inc.",C=US, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache  not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 28 bytes to sd 3
ldap_result ld 0x1058300 msgid 1
wait4msg ld 0x1058300 msgid 1 (infinite timeout)
wait4msg continue ld 0x1058300 msgid 1 all 1
** ld 0x1058300 Connections:
* host: dc  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Mar 31 11:04:30 2015


** ld 0x1058300 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1058300 request count 1 (abandoned 0)
** ld 0x1058300 Response Queue:
   Empty
  ld 0x1058300 response count 0
ldap_chkResponseList ld 0x1058300 msgid 1 all 1
ldap_chkResponseList returns ld 0x1058300 NULL
ldap_int_select
read1msg: ld 0x1058300 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1058300 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1058300 0 new referrals
read1msg:  mark request completed, ld 0x1058300 msgid 1
request done: ld 0x1058300 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(sAMAccountName=username)"
put_filter: simple
put_simple_filter: "sAMAccountName=username"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 97 bytes to sd 3
ldap_result ld 0x1058300 msgid -1
wait4msg ld 0x1058300 msgid -1 (infinite timeout)
wait4msg continue ld 0x1058300 msgid -1 all 0
** ld 0x1058300 Connections:
* host: dc  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Mar 31 11:04:30 2015


** ld 0x1058300 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1058300 request count 1 (abandoned 0)
** ld 0x1058300 Response Queue:
   Empty
  ld 0x1058300 response count 0
ldap_chkResponseList ld 0x1058300 msgid -1 all 0
ldap_chkResponseList returns ld 0x1058300 NULL
ldap_int_select
read1msg: ld 0x1058300 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 124 contents:
read1msg: ld 0x1058300 msgid 2 message type search-reference
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
# refldaps://DomainDnsZones.dc/DC=DomainDnsZones,DC
 =domain,DC=local
ldap_msgfree
ldap_result ld 0x1058300 msgid -1
wait4msg ld 0x1058300 msgid -1 (infinite timeout)
wait4msg continue ld 0x1058300 msgid -1 all 0
** ld 0x1058300 Connections:
* host: dc  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Mar 31 11:04:30 2015


** ld 0x1058300 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1058300 request count 1 (abandoned 0)
** ld 0x1058300 Response Queue:
   Empty
  ld 0x1058300 response count 0
ldap_chkResponseList ld 0x1058300 msgid -1 all 0
ldap_chkResponseList returns ld 0x1058300 NULL
read1msg: ld 0x1058300 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1058300 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1058300 0 new referrals
read1msg:  mark request completed, ld 0x1058300 msgid 2
request done: ld 0x1058300 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

[tgriep]

Could you run the following and post back the results?

Code: Select all

nslookup kdcbchngoxi01
nmap <IP Address of your Domain Controller>
service iptables status