Hello, I'm trying to use the Active Directory Integration component to authenticate users from our domain controllers. We do not allow anonymous binds so we need to specify a username and password to bind with. There are no options for specifying this information within the component window. Can this be done on the back-end somehow?
(Nagios XI 2014R2.7)
Thanks.
Active Directory Authentication and LDAP binding
Re: Active Directory Authentication and LDAP binding
This will get reverted on an upgrade of XI or the component, it's just a temporary workaround.
*** Make sure you have good backups / vm snapshots before making any backend code modifications!
Edit:
Change the code on line 388 from:
To:
Then try it again and let me know if that works for you.
*** Make sure you have good backups / vm snapshots before making any backend code modifications!
Edit:
Code: Select all
/usr/local/nagiosxi/html/includes/components/active_directory/active_directory.inc.phpCode: Select all
$options = array(
'account_suffix' => $account_suffix,
'base_dn' => $base_dn,
'domain_controllers' => $dc_array,
'use_ssl' => $use_ssl,
'use_tls' => $use_tls
);Code: Select all
$options = array(
'account_suffix' => $account_suffix,
'base_dn' => $base_dn,
'domain_controllers' => $dc_array,
'use_ssl' => $use_ssl,
'use_tls' => $use_tls,
'admin_username' => 'YOURUSERNAME',
'admin_password' => 'YOURPASSWORD'
);Re: Active Directory Authentication and LDAP binding
Thanks, I've made the changes, supplying our Bind DN and Bind Password, however authentication is not working. In which log on the Nagios XI system should I be looking for troubleshooting this?
Re: Active Directory Authentication and LDAP binding
Take a look at the Apache error log at /var/log/httpd/error_log to see in there are any errors.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Active Directory Authentication and LDAP binding
Initially, I was seeing the following when specifying TLS within the interface:
After changing to SSL within the interface, authentication still fails but I see no errors in the Apache logs.[Fri Aug 14 10:01:21.626062 2015] [:error] [pid 8746] [client X.X.X.X:53154] PHP Warning: ldap_start_tls(): Unable to start TLS: Operations error in /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php on line 405, referer: https://XXXX/nagiosxi/login.php
Re: Active Directory Authentication and LDAP binding
Let's enable debugging, edit this file:
Add this code after line 402:
So it looks like this:
Then run this tail command:
Then try to login and post the full (sanitized) output.
Code: Select all
/usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.phpCode: Select all
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);Code: Select all
ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);Code: Select all
tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_logRe: Active Directory Authentication and LDAP binding
After enabling debugging I see the following LDAP error which seems to indicate that the Bind failed:
I am specifying the admin_username in DN form as we do when binding via Apache (e.g. 'CN=User Name,CN=subgroup,dc=domain'). I have also tried specifying simply the username (e.g. 'username') but both result in the same error above. Should either work?res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>
Re: Active Directory Authentication and LDAP binding
Have you tried username@fulldomainname?drug wrote:After enabling debugging I see the following LDAP error which seems to indicate that the Bind failed:
I am specifying the admin_username in DN form as we do when binding via Apache (e.g. 'CN=User Name,CN=subgroup,dc=domain'). I have also tried specifying simply the username (e.g. 'username') but both result in the same error above. Should either work?res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>
Former Nagios Employee.
me.
me.
Re: Active Directory Authentication and LDAP binding
The same error occurs whether I specify the BIND username in either DN or in <username@domain> notation.
Re: Active Directory Authentication and LDAP binding
The 52e error code means invalid credentials.
Woops, sorry about that, looks like I was looking at the wrong version of the adLDAP php class documentation, change the code from:
To:
For the user, just try it with the username (just 'ssax' not '[email protected]')
Then run the tail command again and test the functionality.
Also, I've created a feature request for this functionality to be added:
Woops, sorry about that, looks like I was looking at the wrong version of the adLDAP php class documentation, change the code from:
Code: Select all
$options = array(
'account_suffix' => $account_suffix,
'base_dn' => $base_dn,
'domain_controllers' => $dc_array,
'use_ssl' => $use_ssl,
'use_tls' => $use_tls,
'admin_username' => 'YOURUSERNAME',
'admin_password' => 'YOURPASSWORD'
);Code: Select all
$options = array(
'account_suffix' => $account_suffix,
'base_dn' => $base_dn,
'domain_controllers' => $dc_array,
'use_ssl' => $use_ssl,
'use_tls' => $use_tls,
'ad_username' => 'YOURUSERNAME',
'ad_password' => 'YOURPASSWORD'
);For the user, just try it with the username (just 'ssax' not '[email protected]')
Then run the tail command again and test the functionality.
Also, I've created a feature request for this functionality to be added:
Code: Select all
NEW TASK ID 6312 created - Nagios XI Feature Request: AD/LDAP component should allow authentication to AD/LDAP server.