I just upgraded to the latest version 5.2.0 and I'm having some trouble with the new LDAP authentication mechanism.
Previously we've been using the Active Directory Integration component (v 0.3) without issue to authenticate through an LDAP server. After I create a user account in Nagios that matches the LDAP account name, the user can log in.
I'm trying to match that configuration in the new LDAP/AD Integration screen, but I'm running into some issues.
I've created an entry for a new auth server. Type is LDAP, same base DN and LDAP host as I had with the old AD component, port 389, no security (for now).
When I try to import users using that server (with valid credentials), I get an "Unable to authenticate" warning.
I started up Wireshark to see what's happening, and it seems to be binding to the LDAP server as "CN=my_username,o=my_org", and getting a noSuchObject response.
The AD component works because it's binding as "uid=my_username,o=my_org".
Can we have an option to pick between CN or uid for the bind?
I found the bind command in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php on line 60:
$dn = 'CN='.$dn.','.$this->baseDn;
If I change CN to uid, the bind works. Zero results returned, but I'm only worrying about one thing at a time...
LDAP bind options?
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: LDAP bind options?
I'm not sure what the right answer is here. From what I read we're supposed to be using CN instead of UID, although I suppose there is some question of opinion there.
The question is, what is your CN, and can you just use that? Maybe "cn=first last,ou=users,dc=example,dc=com"
The question is, what is your CN, and can you just use that? Maybe "cn=first last,ou=users,dc=example,dc=com"
Re: LDAP bind options?
I talked to our LDAP/AD admin, and to use LDAP we definitely need to bind with the uid.
The good news is that since we run both LDAP and AD I was able to authenticate against active directory once he gave me the proper base DN and server addresses to use, so I still think LDAP auth may have some issues but it's no longer a problem for me.
Thanks
The good news is that since we run both LDAP and AD I was able to authenticate against active directory once he gave me the proper base DN and server addresses to use, so I still think LDAP auth may have some issues but it's no longer a problem for me.
Thanks
Re: LDAP bind options?
Nice to see that you were able to get this figured out. Do you need more assistance or am I good to close this thread?
Former Nagios Employee