LDAP / Active Directory Integration Configuration

[Berto]

Hello,

I've installed the latest Nagios XI 5.2.2 and currently trying to configure Nagios XI to use LDAP to import users. I'm having issues with Nagios connecting to the LDAP servers that I'm trying to use and can't find and/or see logs pertaining to this issue.

I've looked in the below areas for logging info but with no luck. Is there some place I'm over looking?

/var/log/messages
/usr/local/nagios/var
/usr/local/nagiosxi/var

Looking at this Nagios video https://www.youtube.com/watch?v=5c3W03XcqkY I see a field for User DN in the video where i don't see one when configuring the LDAP component, is that no longer needed? Does the Nagios XI server need to be on the same subnet as the LDAP servers though the port (389) is open and I'm able to telnet to it directly from Nagios server?

--Berto

[jomann]

You should be able to connect to it in the software as long as you can connect to your LDAP server from your XI server. You should be able to set up a LDAP server in "LDAP/AD Integration" under "Users" in the Admin section. You'd fill out similar info there besides the full DN. You can then import users or create a user using the full DN when you are creating/editing a user by selecting the authentication server.

Here's a doc explaining the process for Active Directory - it's mostly the same for LDAP: https://assets.nagios.com/downloads/nag ... ios-XI.pdf

The video you were viewing is of the old component and shouldn't be available anymore (we are working on it) so that is why it looks different.

[Berto]

Hello,

Sorry for the very late reply have been out of plant for a while. I've read the document provided and I'm still having issues trying to import users using LDAP. I verified with our LDAP admin that I have correctly filled in the values in the settings sections. I also verified that I can connect to the port on our LDAP server from the Nagios test server and when I try to authenticate it says 'unable to authenticate.: Could not connect to the LDAP server selected.'

Our LDAP server is inside our data center while our Nagios test server sits in an IP space outside of the data center. Not sure if that is the issue???

--Berto

[rkennedy]

Just to verify - from the Nagios server, can you ping the LDAP server?

[Berto]

Hello,

Yes I can ping the LDAP server. We use TLS so I ensured to use port 636, which when using telnet I can connect to on the LDAP server and port 389 is also open.

--Berto

[ssax]

Try running an ldapsearch from the XI server to your LDAP server with the verbose option, this should give us some indication of what is happening:

Code: Select all

yum install openldap-clients
ldapsearch -D "cn=directory manager" -w PASS -p 636 -h ldap.example.com -b "dc=example,dc=com" -s sub -x -ZZ "(objectclass=*)" -v

Let us know the full output.

Thank you

[Berto]

Hello,

Sorry for a very late reply. Was pulled into other projects at work and had to place this on the side. I can run an ldapsearch command just fine on the Nagios server and I'm also one of our LDAP Directory Administrators and would think my credentials would be sufficient.

Here is the output command of an ldapsearch done on my own username

# extended LDIF
#
# LDAPv3
# base <uid=abeltr01,ou=People,dc=xxx,dc=xxxx,dc=xxx> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# abeltr01, People, xxxxx.com
dn: uid=abeltr01,ou=People,dc=xxx,dc=xxxx,dc=xxx
loginShell: /bin/tcsh
shadowLastChange: xxxxx
SolarisAttrKeyValue: defaultpriv=basic,dtrace_proc,dtrace_user;type=normal
homeDirectory: /home/abeltr01
gecos: Berto Beltran
gidNumber: xxx
uidNumber: xxxxx
cn: abeltr01
uid: abeltr01
objectClass: shadowAccount
objectClass: posixAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[ssax]

First make sure that you have the old LDAP component disabled (Admin > Manage Components > LDAP Authentication > Settings).

Then PM me a screenshot of your LDAP server setup in XI (you can blur out information if necessary) so that I can make sure it is setup properly.

Also, since you're using TLS have you imported the CA certificate?

[Berto]

When I navigate to Admin > Manage Components > LDAP Authentication > Settings it just takes me to the LDAP/AD integration configuration page; is that correct? I thought we were using TLS but when our LDAP admin tried helping me to configure Nagios he said we aren't and using the default port of 389.

[rkennedy]

Check out this document for instruction on setting up TLS with LDAP. It looks like you are NOT using TLS currently.
https://assets.nagios.com/downloads/nag ... ponent.pdf

Moving forward, is TLS what you want to use?