Using LDAPs to authenicate

[chicjo01]

If I am not using SSL, it works fine which is how I loaded in the users.

So am I suppose to use the Active Directory Type or LDAP Type?

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log
==> /var/log/httpd/error_log <==
[Mon Jun 06 13:34:44.445324 2016] [:error] [pid 100677] [client xxx.xxx.xxx.xxx:60686] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://<Nagios Server>/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1

[ssax]

If it is an AD server you are querying then select Active Directory.

Edit this file:

Code: Select all

/usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php

On line 714 change this:

Code: Select all

$this->ldapBind = ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);

To this:

Code: Select all

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$this->ldapBind = ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);

Then start a tail on the apache logs:

Code: Select all

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Then try to import with SSL selected and it should give us some very verbose output that we can debug, please PM or past the sanitized content here.


Thank you

[chicjo01]

I figured out what was missing, below are the steps I took to get it to work. This issue can be closed out. Thank you.

Setup for LDAPs

• Open Terminal as Root
  cd /etc/openldap/cacerts
  openssl s_client -showcerts -connect <ldaps server>:636 > ldapsrv1.crt
  vi ldapsrv1.crt
  • -- Delete all lines except the first:
    -----BEGIN CERTIFICATE-----
    <DATA>
    -----END CERTIFICATE-----
  telnet <ldaps server> 636
  openssl x509 -in ldapsrv1.crt -text > ldapsrv1.pem
  egrep 'Issuer:|Subject:' ldapsrv1.pem
  cat ldapsrv1.pem >> /etc/openldap/cacerts.pem
  ln -s ldapsrv1.pem `openssl x509 -noout -hash -in ldapsrv1.pem`.0 <--- Missing From Instructions
  vi /etc/openldap/ldap.conf
  • --- Change:
    URI ldaps://<ldaps server>/ <--- Missing From Instructions
    --- Add:
    TLS_CACERTDIR /etc/openldap/cacerts
    TLS_CACERT /etc/openldap/cacerts.pem
    TLS_REQCERT never <--- Missing From Instructions
  service httpd restart

Update the GUI Interface: <--- Missing From Instructions

• Admin -> LDAP/AD Integration
  Edit LDAP/AD Authentication Servers
  Change Domain to <ldaps server>
  Change Security to SSL
  Click Save Server

[ssax]

Thank you for posting your solution, I'm sure others will find it helpful. Locking and marking as resolved.